[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: windows logs
From: <ruurd () xsguard ! nl>
Date: 2006-07-26 17:48:29
Message-ID: 000001c6b0db$b5175750$0302a8c0 () laptop
[Download RAW message or body]
Hi daniel
I will check those things tommorow morning.
Thanks,
Ruurd
\Van: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
Namens Daniel Cid
Verzonden: woensdag 26 juli 2006 17:16
Aan: ossec-list@googlegroups.com
CC: ruurd@xsguard.nl
Onderwerp: [ossec-list] Re: windows logs
Hi Ruurd,
You can't give the path of the event log. You need to provide the log_format
as event log and in the "location", the type of event log. For example, to
monitor the security events, add the following lines to the config:
<localfile>
<location>Security</location>
<log_format>eventlog</log_format>
</localfile>
However, it should be there by default. Just remember that Windows by
default does not log a lot of things. You would need to go to the
administrative
panel and enable logging for policy changes, logins, logouts, etc...
Regarding syscheck, if you go to ossec.log (generally under C:\program
files\ossec-agent\), you will see if anything failed. Also, if you go
to the ossec
server, under /var/ossec/queue/syscheck/, you should have a file for
your windows
systems (based on the name and IP of the agent). If the file is there
and it has a list of checksums/file names, it is because syscheck is
working...
Other way to check the connectivity is to look on the server at
/var/ossec/queue/agent-info/ . It should have the "uname" of all your
agents.
*Just a note that syscheck by default only monitor the following
directories:
C:\WINDOWS and C:\Program Files .
hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/06, ruurd@xsguard.nl <ruurd@xsguard.nl> wrote:
>
> Hi
>
> We have a ossec server 0.9 running with several clients.
> But the windows agents don't read from the eventlogs.
> I tried editing the ossec.conf at the windows agent with the path directly
> to the evnetlog something like:
>
> <localfile>
> <log_format>system</log_format>
> <location>c:\windows\system32\conf\***.evt</location>
> </localfile>
>
> What is wrong did I missed something?
>
> Can I see if something is wrong with the syscheck?
>
> Thanks
>
> Ruurd
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic