[ossec-list] Re: windows logs

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Ruurd,

You can't give the path of the event log. You need to provide the log_format
as event log and in the "location", the type of event log. For example, to
monitor the security events, add the following lines to the config:

 <localfile>
   <location>Security</location>
   <log_format>eventlog</log_format>
 </localfile>


However, it should be there by default. Just remember that Windows by
default does not log a lot of things. You would need to go to the administrative
panel and enable logging for policy changes, logins, logouts, etc...

Regarding syscheck, if you go to ossec.log (generally under C:\program
files\ossec-agent\), you will see if anything failed. Also, if you go
to the ossec
server, under /var/ossec/queue/syscheck/, you should have a file for
your windows
systems (based on the name and IP of the agent). If the file is there
and it has a list of checksums/file names, it is because syscheck is
working...

Other way to check the connectivity is to look on the server at
/var/ossec/queue/agent-info/ . It should have the "uname" of all your
agents.

*Just a note that syscheck by default only monitor the following directories:
C:\WINDOWS and C:\Program Files .

hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/06, ruurd@xxxxxxxxxx <ruurd@xxxxxxxxxx> wrote:
> Hi
>
> We have a ossec server 0.9 running with several clients.
> But the windows agents don't read from the eventlogs.
> I tried editing the ossec.conf at the windows agent with the path directly
> to the evnetlog something like:
>
> <localfile>
>         <log_format>system</log_format>
>         <location>c:\windows\system32\conf\***.evt</location>
> </localfile>
>
> What is wrong did I missed something?
>
> Can I see if something is wrong with the syscheck?
>
> Thanks
>
> Ruurd