'[ossec-list] Re: windows logs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    [ossec-list] Re: windows logs
From:       <ruurd () xsguard ! nl>
Date:       2006-07-26 17:48:29
Message-ID: 000001c6b0db$b5175750$0302a8c0 () laptop
[Download RAW message or body]


Hi daniel

I will check those things tommorow morning.

Thanks,

Ruurd



\Van: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
Namens Daniel Cid
Verzonden: woensdag 26 juli 2006 17:16
Aan: ossec-list@googlegroups.com
CC: ruurd@xsguard.nl
Onderwerp: [ossec-list] Re: windows logs


Hi Ruurd,

You can't give the path of the event log. You need to provide the log_format
as event log and in the "location", the type of event log. For example, to
monitor the security events, add the following lines to the config:

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
  </localfile>


However, it should be there by default. Just remember that Windows by
default does not log a lot of things. You would need to go to the
administrative
panel and enable logging for policy changes, logins, logouts, etc...

Regarding syscheck, if you go to ossec.log (generally under C:\program
files\ossec-agent\), you will see if anything failed. Also, if you go
to the ossec
server, under /var/ossec/queue/syscheck/, you should have a file for
your windows
systems (based on the name and IP of the agent). If the file is there
and it has a list of checksums/file names, it is because syscheck is
working...

Other way to check the connectivity is to look on the server at
/var/ossec/queue/agent-info/ . It should have the "uname" of all your
agents.

*Just a note that syscheck by default only monitor the following
directories:
C:\WINDOWS and C:\Program Files .

hope it helps,

--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/26/06, ruurd@xsguard.nl <ruurd@xsguard.nl> wrote:
>
> Hi
>
> We have a ossec server 0.9 running with several clients.
> But the windows agents don't read from the eventlogs.
> I tried editing the ossec.conf at the windows agent with the path directly
> to the evnetlog something like:
>
> <localfile>
>         <log_format>system</log_format>
>         <location>c:\windows\system32\conf\***.evt</location>
> </localfile>
>
> What is wrong did I missed something?
>
> Can I see if something is wrong with the syscheck?
>
> Thanks
>
> Ruurd
>
>


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic