[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Ossec and Monitoring Windows Defender Operational Logs
From: Jack Porter <jackporter11 () gmail ! com>
Date: 2019-10-28 19:18:42
Message-ID: d9c1ba30-840f-4748-9018-a3012dea4137 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Is there any way of configuring Ossec to monitor Windows Defender
Operational logs located in the applications and services event group?
I have attempted to use the following permutations in my Windows agents
ossec.conf file (please see attached text file).
But encounter the following error message when looking at the logs on my
Windows Ossec agent:
*2019/10/28 16:20:51 ossec-logcollector: ERROR: Could not EvtSubscribe()
for (Microsoft-Windows-Windows Defender/Operational) which returned (15001)*
I am pointing to the log name outlined in event viewer for the location,
using the event channel log format and event id's outlined in Microsoft's
documentation
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
Kind regards,
Jack Porter
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. To view this discussion on \
the web visit https://groups.google.com/d/msgid/ossec-list/d9c1ba30-840f-4748-9018-a3012dea4137%40googlegroups.com.
[Attachment #5 (text/html)]
<div dir="ltr"><div class="gs" style="padding-bottom: 20px; width: 920px;"><div \
class="" style=""><div id=":r6" class="ii gt" style="direction: ltr; margin-top: 8px; \
position: relative;"><div id=":r5" class="a3s aXjCH msg-3949777972446253153" \
style="overflow: hidden; font-variant-numeric: normal; font-variant-east-asian: \
normal; font-stretch: normal; line-height: 1.5;"><font size="2">Hi,</font><div \
style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><br></div><div \
style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Is there any way \
of configuring Ossec to monitor Windows Defender Operational logs located in the \
applications and services event group?</div><div style="font-family: Arial, \
Helvetica, sans-serif; font-size: small;"><br></div><div style="font-family: Arial, \
Helvetica, sans-serif; font-size: small;">I have attempted to use the following \
permutations in my Windows agents ossec.conf file (please see attached text \
file).</div><div style="font-family: Arial, Helvetica, sans-serif; font-size: \
small;"><br></div><div style="font-family: Arial, Helvetica, sans-serif; font-size: \
small;"> But encounter the following error message when looking at the logs on my \
Windows Ossec agent:</div><div style="font-family: Arial, Helvetica, sans-serif; \
font-size: small;"><b><br></b></div><div style="font-family: Arial, Helvetica, \
sans-serif; font-size: small;"><div><b>2019/10/28 16:20:51 ossec-logcollector: ERROR: \
Could not EvtSubscribe() for (Microsoft-Windows-Windows Defender/Operational) which \
returned (15001)</b></div><div><br></div><div>I am pointing to the log name outlined \
in event viewer for the location, using the event channel log format and event \
id's outlined in Microsoft's documentation <a \
href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defe \
nder-antivirus/troubleshoot-windows-defender-antivirus">https://docs.microsoft.com/en- \
us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus</a></div></div><div \
style="font-family: Arial, Helvetica, sans-serif; font-size: small;"><br></div><div \
style="font-family: Arial, Helvetica, sans-serif; font-size: small;">Kind \
regards,</div><div style="font-family: Arial, Helvetica, sans-serif; font-size: \
small;">Jack Porter</div><div style="font-family: Arial, Helvetica, sans-serif; \
font-size: small;"><br></div></div><div class="yj6qo" style="font-family: Roboto, \
RobotoDraft, Helvetica, Arial, sans-serif; font-size: 0.875rem;"></div><div \
class="yj6qo" style="font-family: Roboto, RobotoDraft, Helvetica, Arial, sans-serif; \
font-size: 0.875rem;"></div><div class="yj6qo" style="font-family: Roboto, \
RobotoDraft, Helvetica, Arial, sans-serif; font-size: 0.875rem;"></div></div><div \
class="hi" style="font-family: Roboto, RobotoDraft, Helvetica, Arial, sans-serif; \
font-size: medium; border-bottom-left-radius: 1px; border-bottom-right-radius: 1px; \
width: auto; background: rgb(242, 242, 242);"></div></div></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/d9c1ba30-840f-4748-9018-a3012dea413 \
7%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/ossec-list/d9c1ba30-840f-4748-9018-a3012dea4137%40googlegroups.com</a>.<br \
/>
["Windows_Defender_Operational_Logs.PNG" (image/png)]
["Windows_Defender_Ossec.txt" (text/plain)]
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1014]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1015]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1116]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1117]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1118]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1119]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1120]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2020]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2021]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2030]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2031]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2040]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2041]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2042]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5100]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5101]</query>
</localfile>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic