• Support
  • Forums
  • Blogs

New Release!

AlienVault v5.2 is now available for OSSIM and USM. Learn more

OSSEC configure that SIEM collects every Windows event

How to configure OSSEC Agent on Windows so SIEM show's all Windows events.

I enable plugin OSSEC and install default installation on Windows Server 2008 R2+ossim adress and key.

OSSIM starting to get data but it does not getting all of Windows Event log.

How to configure that all/every event is shown in SIEM GUI console?



  • If you look at your config file under <ossec_comfig> you should see lines for Application, Secuity and System. if you need more then that you will have to add them your self in the same way as the ones that are in the config file allready.

    Did you add the ossec plugin under Deployment - System configuration  -  Collection?
  • Yes. I add ossec plugin. I am getting data from ossec.

    Do you mean ossec_config on Windows machine where I install plugin. Or you think inside /etc/ossim/agent/plugins/ossec.conf?

    I don't have any exp with regexp I'll need then to find some good regexp tutorial. :(
  • The config file on your windows machine. I had a look at mine and it was done by default. But take a look at it and lets see what we can figure out.
  • I have also Default Config with lines



    For Windows in OSSEC config.file i see
    [OSSEC - Windows Security audit - Failure]
    [OSSEC - Windows Security audit - Logged on/off]
    [OSSEC - Windows Security audit -zzz- Generic Rule]

    So I assume that I need to create regexp for application and system log file?

    In what file can I see are system and application logs are comeing to OSSIM, beacuse when I
    tail -f /var/ossec/logs/alerts/alerts.log I see only security events are arriving. eg. I restart print spooler and that information is not forwarded to OSSIM but Log On/Off are.
    So how to configure OSSEC to forward also System and Application log then I will play with regexp :)

  • Sorry the long response but i've been busy at work. Could you look at your ossec agent log file to see if your agent actually looks at the other event logs. I just started collecting info from my ossec agent so i don't have much data just yet but i did notice in my agent log that it wrote it was analyzing event log application security and system. Lets look at this as our next step and move on from there.
  • Well. We need to see how to configure it to send app and system log. It's sends only security logs to ossim.
    As I see in log file only Security events are showing up.
  • IF you find your install folder on the windows machine. In the folder you should have a ossec.log if you restart your ossecagent it should tell what eventlogs it monitors. Just to make it 100% sure that you log all with your agent.
  • I have the same problem. This is an part of the ossec.log file:
    2013/02/15 11:31:06 ossec-agent(4102): INFO: Connected to the server (<ip server ossim>:1514).
    2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Application'.
    2013/02/15 11:31:06 ossec-agent(1951): INFO: Analyzing event log: 'Security'.
    2013/02/15 11:31:07 ossec-agent(1951): INFO: Analyzing event log: 'System'.

    But, it's sends only security logs to ossim.

  • I have the exact same problem... getting tons of Security Events but nothing from Application (Also the ossec.log on windows shows it is "Analyzing event log: 'Application' . Any solution in sight? are extra rules or ossec conf required? thx
  • I seem to have the same issue... Anyone ever get this working?
  • Did anyone ever figure this out?  Still haven't found the answer.  We're using the USM for PCI compliance, and without the Windows system event log analysis, we're missing a LOT of PCI compliance mandates.
  • I am having the same issue on 5.1.1.....anyone figure this out?
  • I am having the same issue on 5.1.1.....anyone figure this out?
Sign In or Register to comment.