[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: windows logs

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: windows logs
From: <ruurd@xxxxxxxxxx>
Date: Wed, 26 Jul 2006 19:48:29 +0200
Content-transfer-encoding: 7bit
Organization: secquard
Thread-index: AcawxpEJcrqtRtMYSy2fTjtnqSIyzQAFOyvA

Hi daniel

I will check those things tommorow morning.

Thanks,

Ruurd

\Van: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx]
Namens Daniel Cid
Verzonden: woensdag 26 juli 2006 17:16
Aan: ossec-list@xxxxxxxxxxxxxxxx
CC: ruurd@xxxxxxxxxx
Onderwerp: [ossec-list] Re: windows logs

Hi Ruurd,

You can't give the path of the event log. You need to provide the log_format
as event log and in the "location", the type of event log. For example, to
monitor the security events, add the following lines to the config:

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>

However, it should be there by default. Just remember that Windows by
default does not log a lot of things. You would need to go to the
administrative
panel and enable logging for policy changes, logins, logouts, etc...

Regarding syscheck, if you go to ossec.log (generally under C:\program
files\ossec-agent\), you will see if anything failed. Also, if you go
to the ossec
server, under /var/ossec/queue/syscheck/, you should have a file for
your windows
systems (based on the name and IP of the agent). If the file is there
and it has a list of checksums/file names, it is because syscheck is
working...

Other way to check the connectivity is to look on the server at
/var/ossec/queue/agent-info/ . It should have the "uname" of all your
agents.

*Just a note that syscheck by default only monitor the following
directories:
C:\WINDOWS and C:\Program Files .

hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/06, ruurd@xxxxxxxxxx <ruurd@xxxxxxxxxx> wrote:
>
> Hi
>
> We have a ossec server 0.9 running with several clients.
> But the windows agents don't read from the eventlogs.
> I tried editing the ossec.conf at the windows agent with the path directly
> to the evnetlog something like:
>
> <localfile>
>         <log_format>system</log_format>
>         <location>c:\windows\system32\conf\***.evt</location>
> </localfile>
>
> What is wrong did I missed something?
>
> Can I see if something is wrong with the syscheck?
>
> Thanks
>
> Ruurd
>
>

References:
- [ossec-list] Re: windows logs
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: windows logs
Next by Date: [ossec-list] very interesting reading
Previous by thread: [ossec-list] Re: windows logs
Next by thread: [ossec-list] gpg ?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.