I used *or* and it worked. Thanks very much! Vào 17:57:11 UTC+7 Thứ Ba, ngày 29 tháng 3 năm 2016, Jesus Linares đã viết: > > Hi, > > try with *and*/*or*: > > <localfile> > <location>Security</location> > <log_format>eventchannel</log_format> > <query>Event/System[EventID=5140 and EventID=5144]</query> > </localfile> > > Regards, > Jesus Linares. > > On Monday, March 28, 2016 at 10:58:57 AM UTC+2, Duẩn Phạm wrote: >> >> Hi, >> >> I have installed the new version of OSSEC v2.8.3. I have a windows ossec >> client. I would like to filter Windows event logs >> (Applications/Security/System/Application and Services Log) based on the >> event ids at ossec client (in order to reduce the logs forwarded to OSSEC >> manager). >> Ex: EventID=5140 and EventID=5144 >> I try config: >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=5140 && EventID=5144]</query> >> </localfile> >> <localfile> >> <location>Security</location> >> <log_format>eventchannel</log_format> >> <query>Event/System[EventID=5140 || EventID=5144]</query> >> </localfile> >> *THIS DOESN'T WORK* >> >> >> *Am I doing something wrong here. Please advice.* >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
