Hi Grant,
how is that file overwritten? I mean, is it truncated and re-written or is
replaced by another?
OSSEC follows local files and never reads them again from the beginning,
there is no mechanism to detect that a previous file segment has been
changed. But OSSEC does detect that a file itsel
Any Windows users want to take a look at this?
On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J.
wrote:
> I am using the eventchannel format. Eventlog provides no useful information
> for logs other than the three basics: Application, Security and System.
>
> If confirmed, this is a significa
How can we get the ossec agent to read a localfile that overwrites itself?
The CIS CAT benchmarks write a .txt file which we are reading with
"syslog" as the local file
However when the benchmark tests run, ossec does not appear to re-read the
log, its as if it never gets read again.
As it t
After upgrading Windows 10 to the latest version:
- Event ID 6417 is missing the event description and the field names.
2017 Feb 24 12:18:43 WinEvtLog: Security: AUDIT_SUCCESS(6417): Microsoft-
Windows-Security-Auditing: (no user): no domain: Hostname: 0x38a0 C:\Windows
\System32\wbem\WmiPrvSE.ex