[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Symantec Anti-Virus log checkingq

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Symantec Anti-Virus log checkingq
From: MdMonk <mdmonk@xxxxxxxxx>
Date: Wed, 6 Jun 2007 13:36:09 -0600
Content-transfer-encoding: quoted-printable
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Cos+VmV90MY0n4R76BcvTi3+ZaYKWg2zT4Wy1Ih0DpWgoFsrksP+TDD1+fKBRecZiIahkEMX8gkGC0mufuq4zZqjwN5BAFeR4AGxfa4bwTJP7UUX/oMRmvWtlcB4FD1HMUNQi5qR2S3MvWaD+t2perF93+Ix6/YCkvTlQwgt0Lo=

Jens-

The snippet from my conf that applies is:
###
  <localfile>
    <location>C:\Documents and Settings\All Users\Application
Data\Symantec\Symantec AntiVirus Corporate
Edition\7.5\Logs\%m%d20%y.log</location>
    <log_format>syslog</log_format>
  </localfile>
###

The log format is set to "syslog" on my systems. Have you tried that yet?

-MdMonk (Chuck)

On 6/6/07, Harsem, Jens <JHarsem@xxxxxxxxxx> wrote:
>
> Hello guys,
>
> I have successfully been able to build an OSSEC Server with having a Pix & a
> Windows Server reporting back to it. Now I would like to also have OSSEC
> check my Symantec Anti-Virus log file. I can see from the ossec web that
> this should be possible. However I do not know where I need to do this.
>
>
>
> I thought I had to modify the ossec.conf in C:\Program Files\ossec-agent by
> simply putting in:
>
>
>
> <localfile>
>
>   <location> C:\Documents and Settings\All Users\Application
> Data\Symantec\Symantec AntiVirus Corporate
> Edition\7.5\Logs\%m%d20%y.log</location>
>
>   <log_format>Symantec-av</log_format>
>
> </localfile>
>
>
>
> however when I do this I get the following entry in the ossec.log file on
> the windows machine:
>
>
>
> ossec-agent(1235): Invalid value for element 'log_format': "symantec-av"
>
>
>
> Hence I can see that is does not like my log_format – yet I got that from
> the decoders.xml
>
>
>
> Does anyone know what I am doing wrong? I am running the latest version of
> OSSEC both on the Linux & windows Server. I would appreciate it if someone
> could point me in the right direction.
>
>
>
>
>
>
>
>  Regards,
>
>
>
> Jens
>
>
>
> Confidentiality Notice This email is intended only for the individual/s to
> whom it is addressed and may contain information that is confidential or
> privileged. If you are not the intended recipient/s, or the employee or
> person responsible for delivering it to the intended recipient/s you are
> hereby notified that any dissemination, distribution, copying or use is
> strictly prohibited. If you have received this communication in error,
> please notify the sender immediately by telephone and return the original
> email to the sender.
>
>
>
>
>
>

Follow-Ups:
- [ossec-list] Re: Symantec Anti-Virus log checkingq
  - From: Harsem, Jens

References:
- [ossec-list] Symantec Anti-Virus log checkingq
  - From: Harsem, Jens

Prev by Date: [ossec-list] Symantec Anti-Virus log checkingq
Next by Date: [ossec-list] Question about Snort False positive
Previous by thread: [ossec-list] Symantec Anti-Virus log checkingq
Next by thread: [ossec-list] Re: Symantec Anti-Virus log checkingq
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.