Hello Irshad You have configurated your manager in order to recorder all events in archives.log. In this file, you have all the events and there is the event you want to see on the GUI. But, an event could be or not an alert. And if you want to see it on the GUI must be an alert. This is the flow:
An agent send an event to the manager. The manager analyze it against the ruleset. If the event match with any ruleset the manager create an alert and you could see it on the GUI. So create an specific rule and decoder for your event is needed. You could follow this link <https://documentation.wazuh.com/current/user-manual/ruleset/custom.html>in order to create your own rules and decoder for your events. Hope it helps. Best regards, On Thursday, June 15, 2017 at 9:14:42 AM UTC+2, Irshad Rahimbux wrote: > > The logs are being pushed to archives.log and not ossec.log > > On Thursday, June 15, 2017 at 11:09:01 AM UTC+4, Irshad Rahimbux wrote: >> >> >> Hi, >> >> I have done the following changes in my configuration files as follows: >> >> <localfile> >> <location>OAlerts</location> >> <log_format>eventchannel</log_format> >> </localfile> >> >> Logs are being pushed to ossec.log on server as follows: >> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun >> 14 11:55:22 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 >> Alerts: (no user): no domain: IT-IR.Emtel.Org <http://it-ir.emtel.org/>: >> Microsoft Outlook Everything in the "Junk E-mail" folder will be >> permanently deleted. Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4: >> 2017 Jun 15 09:23:19 (Host-172-27-5-231) 172.27.5.231->WinEvtLog 2017 Jun >> 14 16:59:33 WinEvtLog: OAlerts: INFORMATION(300): Microsoft Office 16 >> Alerts: (no user): no domain: IT-IR.Emtel.Org <http://it-ir.emtel.org/>: >> Microsoft Outlook Everything in the "Junk E-mail" folder will be >> permanently deleted. Continue? P1: 300894 P2: 16.0.4534.1001 P3: aldbzP4: >> >> But these are not be logged on the GUI. >> >> I have read on the net that these are informational events and not being >> logged. How to enable those? >> >> Grateful to help and provide me the steps in doing so. >> Thanks >> >> On Thursday, June 1, 2017 at 1:04:41 PM UTC+4, Jesus Linares wrote: >>> >>> Hi Irshad, >>> >>> sorry, I thought was the same problem than Akash. >>> >>> I would like to be able to retrieve logs from windows machine to my OSSIM >>> >>> >>> Do you meand OSSEC, right?. >>> >>> Review the ossec.log of your agent. Maybe the location is wrong or there >>> are no events. >>> >>> I hope it helps. >>> Regards. >>> >>> >>> On Thursday, June 1, 2017 at 6:51:14 AM UTC+2, Irshad Rahimbux wrote: >>>> >>>> ANy one can provide some help? @Jesus Linares... the link you provided >>>> is not helping much. It's for another issue. >>>> >>>> On Wednesday, May 31, 2017 at 1:07:19 PM UTC+4, Jesus Linares wrote: >>>>> >>>>> https://groups.google.com/forum/#!topic/ossec-list/wcIE_EcDVxo >>>>> >>>>> On Tuesday, May 30, 2017 at 4:34:46 PM UTC+2, Akash Munjal wrote: >>>>>> >>>>>> >>>>>> Hi All, >>>>>> >>>>>> I am also facing the same problem.I am not getting alert of >>>>>> creation/deletion of file from windows agent >>>>>> to my manager(linux). Agent show connected and active, I only get >>>>>> alert from agent(win) is agent start/restart/change in ossec.conf(agent). >>>>>> To monitor D:\ drive, I have done the following changes in ossec.conf >>>>>> on manager: >>>>>> >>>>>> <directories report_changes="yes" realtime="yes" >>>>>> check_all="yes">C:.,D:.</directories> >>>>>> >>>>>> But i don't get any alerts on my manager. >>>>>> >>>>>> Can you please help me out. >>>>>> >>>>>> Thanks >>>>>> >>>>>> >>>>>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
