Re: [ossec-list] .txt file for log overwrites daily - ossec only reads once

Hi Grant, how is that file overwritten? I mean, is it truncated and re-written or is replaced by another? OSSEC follows local files and never reads them again from the beginning, there is no mechanism to detect that a previous file segment has been changed. But OSSEC does detect that a file

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

Any Windows users want to take a look at this? On Thu, Feb 23, 2017 at 11:42 PM, Jahchan, Georges J. wrote: > I am using the eventchannel format. Eventlog provides no useful information > for logs other than the three basics: Application, Security and System. > > If

[ossec-list] .txt file for log overwrites daily - ossec only reads once

How can we get the ossec agent to read a localfile that overwrites itself? The CIS CAT benchmarks write a .txt file which we are reading with "syslog" as the local file However when the benchmark tests run, ossec does not appear to re-read the log, its as if it never gets read again. As it

Re: [ossec-list] Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC.

After upgrading Windows 10 to the latest version: - Event ID 6417 is missing the event description and the field names. 2017 Feb 24 12:18:43 WinEvtLog: Security: AUDIT_SUCCESS(6417): Microsoft- Windows-Security-Auditing: (no user): no domain: Hostname: 0x38a0 C:\Windows