I have OSSEC up and running and generating alerts; however, it seems messages from within the Application and System EventViewer logs are not being passed to the server, or at least I am not seeing the informational messages within the logs on the server-side.
My windows-agent ossec.conf does contain: <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>Application</location> > <log_format>eventchannel</log_format> > </localfile> > <localfile> > <location>System</location> > <log_format>eventchannel</log_format> > </localfile> > I have also tried this: <localfile> > <location>Security</location> > <log_format>eventlog</log_format> > </localfile> > <localfile> > <location>Application</location> > <log_format>*eventlog*</log_format> > </localfile> > <localfile> > <location>System</location> > <log_format>*eventlog*</log_format> > </localfile> > ...with no success. When the agent starts, in the ossec.log I see: 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: 'Security' > . > 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: 'System' > . > 2017/01/24 11:34:38 ossec-agent: INFO: Started (pid: 332). > The ultimate goal I am trying to accomplish is to send a notification through OSSEC when ISS is stopped or started (which is a System log entry): > > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > - <System> > <Provider Name="Service Control Manager" Guid= > "{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control > Manager" /> > <EventID Qualifiers="16384">7036</EventID> > <Version>0</Version> > <Level>4</Level> > <Task>0</Task> > <Opcode>0</Opcode> > <Keywords>0x8080000000000000</Keywords> > <TimeCreated SystemTime="2017-01-24T16:59:51.628131000Z" /> > <EventRecordID>30807</EventRecordID> > <Correlation /> > <Execution ProcessID="532" ThreadID="2148" /> > <Channel>System</Channel> > <Computer>my.test.blahblahblah.net</Computer> > <Security /> > </System> > - <EventData> > <Data Name="param1">World Wide Web Publishing Service</Data> > <Data Name="param2">stopped</Data> > <Binary>570033005300560043002F0031000000</Binary> > </EventData> > </Event> > > Any suggestions would be greatly appreciated. Thanks! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
