[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Ossec Monitoring Windows defender Operational Logs
From: Jack Porter <Jackporter11 () gmail ! com>
Date: 2019-10-28 19:38:29
Message-ID: ea138dc3-44fc-44c7-bc3b-f57f49fefd1d () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Is there any way of configuring Ossec to monitor Windows Defender
Operational logs located in the applications and services group?
I have attempted to use the following permutations on my Windows agents
ossec.conf file (please see attached text file)
But encounter the following error message below in the Ossec Windows agents
logs:
*2019/10/28 16:46:38 ossec-logcollector: ERROR: Could not EvtSubscribe()
for (Microsoft-Windows-Windows Defender) which returned (15007)*
In the location field, I am using the event name outlined in event viewer,
event channel log format as advised for logs located in the applications
and services logs and the event id's defined by Microsoft
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus
Kind regards,
Jack Porter
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. To view this discussion on \
the web visit https://groups.google.com/d/msgid/ossec-list/ea138dc3-44fc-44c7-bc3b-f57f49fefd1d%40googlegroups.com.
[Attachment #5 (text/html)]
<div dir="ltr"><font size="2">Hi,</font><div style=""><font \
size="2"><br></font></div><div style=""><font size="2">Is there any way of \
configuring O<span class="il">ssec</span> to monitor Windows Defender Operational \
logs located in the applications and services group?</font></div><div style=""><font \
size="2"><br></font></div><div style=""><font size="2">I have attempted to use the \
following permutations on my Windows agents <span class="il">ossec</span>.conf file \
(please see attached text file)</font></div><div style=""><font \
size="2"><br></font></div><div style=""><span style="font-size: small;">But encounter \
the following error message below in the Ossec Windows agents \
logs:</span><br></div><div style=""><font size="2"><br></font></div><div \
style=""><font size="2"><b>2019/10/28 16:46:38 ossec-logcollector: ERROR: Could not \
EvtSubscribe() for (Microsoft-Windows-Windows Defender) which returned \
(15007)</b><br></font></div><div style=""><font size="2"><b><br></b></font></div><div \
style=""><font size="2">In the location field, I am using the event name outlined in \
event viewer, event channel log format as advised for logs located in the \
applications and services logs and the event id's defined by Microsoft <a \
href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defe \
nder-antivirus/troubleshoot-windows-defender-antivirus">https://docs.microsoft.com/en- \
us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus</a></font></div><div \
style=""><font size="2"><br></font></div><div style=""><font size="2">Kind \
regards,</font></div><div style=""><font size="2">Jack Porter</font></div></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/ossec-list/ea138dc3-44fc-44c7-bc3b-f57f49fefd1 \
d%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/ossec-list/ea138dc3-44fc-44c7-bc3b-f57f49fefd1d%40googlegroups.com</a>.<br \
/>
["Windows_Defender_Ossec.txt" (text/plain)]
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1014]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1015]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1116]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1117]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1118]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1119]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1120]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1150]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=1151]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2003]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2005]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2006]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2013]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2020]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2021]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2030]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2031]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2040]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2041]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=2042]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3002]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=3007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5000]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5001]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5004]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5007]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5008]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5009]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5010]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5011]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5012]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5100]</query>
</localfile>
<localfile>
<location>Microsoft-Windows-Windows Defender/Operational</location>
<log_format>eventchannel</log_format>
<query>Microsoft-Windows-Windows Defender/Operational[EventID=5101]</query>
</localfile>
["Windows_Defender_Operational_Logs.PNG" (image/png)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic