|
Hello guys, I have successfully been able to build an OSSEC Server with
having a Pix & a Windows Server reporting back to it. Now I would like to
also have OSSEC check my Symantec Anti-Virus log file. I can see from the ossec
web that this should be possible. However I do not know where I need to do
this. I thought I had to modify the ossec.conf in C:\Program
Files\ossec-agent by simply putting in: <localfile> <location> C:\Documents and
Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Logs\%m%d20%y.log</location> <log_format>Symantec-av</log_format> </localfile> however when I do this I get the following entry in the
ossec.log file on the windows machine: ossec-agent(1235): Invalid value for element ‘log_format’:
“symantec-av” Hence I can see that is does not like my log_format –
yet I got that from the decoders.xml Does anyone know what I am doing wrong? I am running the
latest version of OSSEC both on the Linux & windows Server. I would
appreciate it if someone could point me in the right direction. Regards, Jens Confidentiality Notice This email is
intended only for the individual/s to whom it is addressed and may contain
information that is confidential or privileged. If you are not the intended
recipient/s, or the employee or person responsible for delivering it to the
intended recipient/s you are hereby notified that any dissemination,
distribution, copying or use is strictly prohibited. If you have received this
communication in error, please notify the sender immediately by telephone and
return the original email to the sender. |