• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Forwarding Hyper-V events via OSSEC


New Life Form

I'm trying to forward Hyper-V windows events. Hyper-V events are located in: 
"Application and Services Logs > Microsoft > Windows > Hyper-V-Worker > Admin"
The problem is that OSSEC uses "-" between different tree levels. For example, if I want OSSEC to forward events in AppID I would write:
The "-" is causing problems as you can see, because writing "<location>Microsoft-Windows-Hyper-V-Worker/Admin</location>" won't work because OSSEC will look for "Application and Services Logs > Microsoft > Windows > Hyper > V > Worker > Admin".

Any way to overcome this?

I believe that NXLog will have the same problem.


Share post:

Best Answer

  • It turned out that the "-" isn't the problem, it actually was the "/".
    What you need to use is: "<location>Microsoft-Windows-Hyper-V-Worker-Admin</location>" 

Sign In or Register to comment.