please disregard my earlier post...the second I hit send, I realized that i had the log_format configured for eventchannel instead of eventlog...sorry to waste your time
On Thursday, September 24, 2015 at 10:47:06 AM UTC-4, DefensiveDepth wrote: > > Greetings Wes, > > Yes, Dan is correct - the "collector" is a windows server that has the > OSSEC client installed on it and configured through <eventchannel> to > forward the logs onto the SO sensor. > > You don't have to use WEF for collecting the logs... You could use the > OSSEC client installed locally, nxlog, or something else like that. > > -Josh > > On Thursday, September 24, 2015 at 9:37:23 AM UTC-4, Wes wrote: >> >> >> Thanks for your help, Dan. >> >> Wes >> >> >> >> >> On Thursday, September 24, 2015 at 9:28:04 AM UTC-4, dan (ddpbsd) wrote: >>> >>> >>> On Sep 24, 2015 9:15 AM, "Wes" <wlamb...@gmail.com> wrote: >>> > >>> > Please excuse me if this is not the proper place, but I was reading >>> Josh's paper ( >>> https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) >>> >>> in regard to the use of Sysmon, Windows Event Collector Framework, and >>> OSSEC to forward logs from Windows workstations and servers to Security >>> Onion, but I wanted to be sure about a thing or two before I began such a >>> project. >>> > >>> > From the paper, I can see that the intention (for the Hybrid setup) is >>> that Sysmon will be running on all workstations (onsite/offsite), and all >>> workstations will be configured with Windows Event Forwarding to forward >>> logs to a log collector (OSSEC). From here the log collector will forward >>> information to Security Onion (sensor) >>> > >>> > --The log collector should be running the OSSEC agent, correct? Or is >>> this to run the manager? I guess my impression was that the agent only >>> collected logs locally, but from what I have read gives me the impression >>> that the agent can be forwarded logs and forward those logs as well? >>> > >>> >>> I've only skimmed the hybrid section of the paper, and i don't know a >>> lot about windows event forwarder, but I would assume the log collector is >>> a windows system. Because of that it can only run the ossec agent software. >>> It looks like the collector collects the logs via wef, allowing the ossec >>> agent to pull them in, and forwars them onto the ossec server. >>> >>> Josh is on the list though, and I would expect him to reply when he gets >>> a chance. :-) >>> >>> > Again please excuse my ignorance--if anyone could clarify or could >>> point me towards some more information, I would greatly appreciate it. >>> > >>> > Thanks, >>> > >>> > Wes >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> > For more options, visit https://groups.google.com/d/optout. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
