What is the best way to test rules on Windows Event Logs?
With syslog or weblog related stuff I know I can take a line from the log
and feed it to ossec-logtest.
However with Windows Event Logs what format is ossec expecting?
Can I just cut and paste the event as seen when double clicking on the ev
On Mon, Oct 22, 2012 at 12:17 PM, James Whittington
wrote:
> What is the best way to test rules on Windows Event Logs?
> With syslog or weblog related stuff I know I can take a line from the log
> and feed it to ossec-logtest.
> However with Windows Event Logs what format is ossec expecting?
> Can
James,
If you have the logall option set, then you should see all windows events (with
event iDs) in the archive.log files
I use these as a resource to pass to ossec-logtest. The first portion is the
ossec appended value info, so you need to strip that.
The Windows events begin with "WinEvtLog
essage-
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Scott Klauminzer
Sent: Monday, October 22, 2012 12:29 PM
To: ossec-list@googlegroups.com
Subject: Re: [ossec-list] What is the best way to test rules on Windows
Event Logs?
James,
If you have the logall opti
