Thank you for your Reply: Looks like the & was a TypeO. I fixed that and now looks like: <id>^5142$|^5143$|^5144$|^5145$</id> So, i turned on debugging on the client side, and I get the following shown below.. When I run : tail -f /var/ossec/logs/alerts/alerts.log on the server side, I don't see anything coming in. The windows client is a Windows 2012 server.
Debug: 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to server. 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: '2014 Oct 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: FileServer.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-18013 User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ \ 0x100080 %%1541 %%4423 - ' 2014/10/27 12:46:26 ossec-agent: DEBUG: Attempting to send message to server. 2014/10/27 12:46:26 ossec-agent: DEBUG: Sending message to server: '2014 Oct 27 12:46:24 WinEvtLog: Security: AUDIT_SUCCESS(5145): Microsoft-Windows-Security-Auditing: (no user): no domain: FileServer.Domain.Local: S-1-5-21-3748380571-1685127485-3479259990-18013 User01 Domain 0x9310e4 File ::1 50201 \\*\C$ \??\C:\ Program Files (x86)\ossec-agent 0x100081 %%1541 %%4416 %%4423 On Monday, October 27, 2014 11:42:37 AM UTC-4, dan (ddpbsd) wrote: > > On Mon, Oct 27, 2014 at 11:36 AM, Ivars Grīnbergs <[email protected] > <javascript:>> wrote: > > Is the ampersand correctly used at the end of 5142? For other IDs there > are > > $ sign used. > > > > Nope, I'm not sure what they were attempting with that. > > > Ivars > > > > On Mon, Oct 27, 2014 at 1:51 PM, Brian <[email protected] <javascript:>> > wrote: > >> > >> Hello, I am hopping someone may be able to help.. > >> I want to capture Windows Event ID's 5142 5143 5144 5145. I found > this > >> discussion on how to add it to your ossec.conf file. > >> > >> > https://www.alienvault.com/forums/discussion/550/how-to-capture-windows-event-ids-not-captured-by-default-using-snare-or-ossec > > >> > >> However, the events aren't showing up in ossec. Would this be the > correct > >> way in configuring OSSEC to capture specific Windows Event ID's ? > >> > >> I added the following to my ossec,conf file, above 18104 as the above > >> article suggested. and then restarted ossec.. > >> > >> <rule id="19000" level="6"> > >> <if_sid>18100</if_sid> > >> <id>^5142&|^5143$|^5144$|^5145$</id> > >> <status>^AUDIT_SUCCESS|^success</status> > >> <description>Windows audit success event.</description> > >> </rule> > >> > >> Thank you for your help. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
