I wasn't sure how to do this or if it's possible but I have a large number of ossec agents where I want to filter out specific Windows Event ID agent side. If I modify the ossec.conf on the agent and replace the log_format of my System from eventlog to eventchannel it works however if I leave it to eventlog and alter the centralized agent config to include that for Windows OS it doesn't work. I do see it get replicated to the agent under the shared folder but it looks like eventlog is taking priority. Touching each agent is not feasible as I just don't have that kind of control, at least I would have to somehow repackage an ossec install and wrap a new config into it, then have my IT people reinstall it on hundreds of Windows systems. Although I'm testing filtering event ID 7000 on a workstation I have many Windows servers with the windows packet filtering bombarding the event logs. This ends up saturating my network links from the agent to the manager which I want to eliminate.
In ossec.conf
<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>
In Shared folder as agent.conf
<agent_config os="Windows">
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID!=7000]</query>
</localfile>
</agent_config>