Override eventlog with eventchannel via Centralized agent config

67 views
Skip to first unread message

Brett Simpson

unread,
Apr 20, 2017, 12:26:18 PM4/20/17
to ossec-list
I wasn't sure how to do this or if it's possible but I have a large number of ossec agents where I want to filter out specific Windows Event ID agent side. If I modify the ossec.conf on the agent and replace the log_format of my System from eventlog  to eventchannel it works however if I leave it to eventlog and alter the centralized agent config to include that for Windows OS it doesn't work. I do see it get replicated to the agent under the shared folder but it looks like eventlog is taking priority. Touching each agent is not feasible as I just don't have that kind of control, at least I would have to somehow repackage an ossec install and wrap a new config into it, then have my IT people reinstall it on hundreds of Windows systems. Although I'm testing filtering event ID 7000 on a workstation I have many Windows servers with the windows packet filtering bombarding the event logs. This ends up saturating my network links from the agent to the manager which I want to eliminate.

In ossec.conf
  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

In Shared folder as agent.conf
<agent_config os="Windows">

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID!=7000]</query>
  </localfile>

</agent_config>

Jesus Linares

unread,
Apr 26, 2017, 5:34:50 AM4/26/17
to ossec-list
Hi Brett,


In your case, both configurations are applying. Also, I recommend you to filter other noisy events.

Regards.
Reply all
Reply to author
Forward
0 new messages