[ossec-list] Re: Windows eventlog NTDS.evt logging

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Dmitrii,

You need to pass the event log name (like Application or Security) to
the "location"
tag, instead of the real location of the event log. That's why
"Application" works and
"C:\WINDOWS\System32\config\AppEvent.Evt" fails.

For NTDS, I am afraid that ossec will not support it properly, since
we hard-coded
a validator looking for "Security", "Application" or "System"... I
will see if I can fix it
for the next snapshot. Is there any more event log "sources" that we may need to
add?

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 6/26/07, bion@xxxxxxxx <bion@xxxxxxxx> wrote:
>
>
> Hello!
> I'm trying to add extended event logging to windows agents on Windows Server
> 2003 domain controller.
> There is event log C:\WINDOWS\system32\config\NTDS.evt
> but when i try to add string like this:
>   <localfile>
>
> <location>C:\WINDOWS\system32\config\NTDS.evt</location>
>     <log_format>eventlog</log_format>
>   </localfile>
> it exits with error:
> 2007/06/26 10:47:26 ossec-agent: DEBUG: Reading logcollector configuration.
>
> 2007/06/26 10:47:26 ossec-agent(1903): Invalid event log:
> 'C:\WINDOWS\System32\config\NTDS.Evt'.
>
> 2007/06/26 10:47:26 ossec-agent(1202): Configuration error at 'ossec.conf'.
> Exiting.
>
> Tried to change location to NTDS. Unsuccessfull.
> Does anyone solved this problem?
>
>
> P.S.
>   <localfile>
>     <location>Application</location>
>     <log_format>eventlog</log_format>
>   </localfile>
> works, but when i try to change location like this
> <location>C:\WINDOWS\System32\config\AppEvent.Evt</location>
> it crashes with error.
>
> Thanks.
> Dmitrii Chebotarev, Russia.
>
>