Hi, try with *and*/*or*:
<localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID=5140 and EventID=5144]</query> </localfile> Regards, Jesus Linares. On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote: > > Hi, > > I have installed the new version of OSSEC v2.8.3. I have a windows ossec > client. I would like to filter Windows event logs > (Applications/Security/System/Application and Services Log) based on the > event ids at ossec client (in order to reduce the logs forwarded to OSSEC > manager). > Ex: EventID=5140 and EventID=5144 > I try config: > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=5140 && EventID=5144]</query> > </localfile> > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=5140 || EventID=5144]</query> > </localfile> > *THIS DOESN'T WORK* > > > *Am I doing something wrong here. Please advice.* > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.