I figured this out on my own and thought I would post a response in the event someone else is confused as I was.
My Application and System Log data was being sent to the OSSEC server; however, the server was configured as such that the events I was seeing within the Window's Event Viewer were not actionable (alert) events within the OSSEC server. To restate that, the application and system events I was viewing from within the Event Viewer on Windows were being sent to the OSSEC server; however, they were not actionable events and as such they were not being logged. What I did to better understand this was: on the OSSEC server, edit etc/ossec.conf and within the global section add: <logall>yes</logall> > > thus, my global section looks like this now: > > <global> > <logall>yes</logall> > <email_notification>yes</email_notification> > <email_to>myemail</email_to> > <smtp_server>localhost</smtp_server> > <email_from>fromemail</email_from> > </global> > > ...then I could view the archives.log file within logs/archives/ and see what was being received but not being considered an alert. I hope this helps someone else. On Tuesday, January 24, 2017 at 11:49:22 AM UTC-6, MSF004 wrote: > > I have OSSEC up and running and generating alerts; however, it seems > messages from within the Application and System EventViewer logs are not > being passed to the server, or at least I am not seeing the informational > messages within the logs on the server-side. > > My windows-agent ossec.conf does contain: > > <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> <localfile> >> <location>Application</location> >> <log_format>eventchannel</log_format> >> </localfile> >> <localfile> >> <location>System</location> >> <log_format>eventchannel</log_format> >> </localfile> >> > > I have also tried this: > > <localfile> >> <location>Security</location> >> <log_format>eventlog</log_format> >> </localfile> >> <localfile> >> <location>Application</location> >> <log_format>*eventlog*</log_format> >> </localfile> >> <localfile> >> <location>System</location> >> <log_format>*eventlog*</log_format> >> </localfile> >> > ...with no success. > > When the agent starts, in the ossec.log I see: > > 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: >> 'Security'. >> 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: >> 'Application'. >> 2017/01/24 11:34:38 ossec-agent(1951): INFO: Analyzing event log: >> 'System'. >> 2017/01/24 11:34:38 ossec-agent: INFO: Started (pid: 332). >> > > The ultimate goal I am trying to accomplish is to send a notification > through OSSEC when ISS is stopped or started (which is a System log entry): > >> >> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> >> - <System> >> <Provider Name="Service Control Manager" Guid= >> "{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service >> Control Manager" /> >> <EventID Qualifiers="16384">7036</EventID> >> <Version>0</Version> >> <Level>4</Level> >> <Task>0</Task> >> <Opcode>0</Opcode> >> <Keywords>0x8080000000000000</Keywords> >> <TimeCreated SystemTime="2017-01-24T16:59:51.628131000Z" /> >> <EventRecordID>30807</EventRecordID> >> <Correlation /> >> <Execution ProcessID="532" ThreadID="2148" /> >> <Channel>System</Channel> >> <Computer>my.test.blahblahblah.net</Computer> >> <Security /> >> </System> >> - <EventData> >> <Data Name="param1">World Wide Web Publishing Service</Data> >> <Data Name="param2">stopped</Data> >> <Binary>570033005300560043002F0031000000</Binary> >> </EventData> >> </Event> >> >> > Any suggestions would be greatly appreciated. > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
