I wasn't sure how to do this or if it's possible but I have a large number
of ossec agents where I want to filter out specific Windows Event ID agent
side. If I modify the ossec.conf on the agent and replace the log_format of
my System from eventlog to eventchannel it works however if I leave it to
eventlog and alter the centralized agent config to include that for Windows
OS it doesn't work. I do see it get replicated to the agent under the
shared folder but it looks like eventlog is taking priority. Touching each
agent is not feasible as I just don't have that kind of control, at least I
would have to somehow repackage an ossec install and wrap a new config into
it, then have my IT people reinstall it on hundreds of Windows systems.
Although I'm testing filtering event ID 7000 on a workstation I have many
Windows servers with the windows packet filtering bombarding the event
logs. This ends up saturating my network links from the agent to the
manager which I want to eliminate.
In ossec.conf
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
In Shared folder as agent.conf
<agent_config os="Windows">
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=7000]</query>
</localfile>
</agent_config>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
