Hi Brian, I see you refer to alienvault documentation. Are you using Alienvault USM or OSSIM with OSSEC? If that is the case you should be able to grab the event ID from the raw log modifying the plugin used to parse OSSEC alerts output.
As well, as Ivars mentioned it seems there is a typo in the rule. Instead of & it should be $. Best On Mon, Oct 27, 2014 at 4:51 AM, Brian <ke...@myschatz.net> wrote: > Hello, I am hopping someone may be able to help.. > I want to capture Windows Event ID's 5142 5143 5144 5145. I found this > discussion on how to add it to your ossec.conf file. > > https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec > > However, the events aren't showing up in ossec. Would this be the correct > way in configuring OSSEC to capture specific Windows Event ID's ? > > I added the following to my ossec,conf file, above 18104 as the above > article suggested. and then restarted ossec.. > > <rule id="19000" level="6"> > <if_sid>18100</if_sid> > <id>^5142&|^5143$|^5144$|^5145$</id> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > Thank you for your help. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.