Ossec and Monitoring Windows Defender Operational Logs

[Jack Porter]

Hi,

Is there any way of configuring Ossec to monitor Windows Defender Operational logs located in the applications and services event group?

I have attempted to use the following permutations in my Windows agents ossec.conf file (please see attached text file).

 But encounter the following error message when looking at the logs on my Windows Ossec agent:

2019/10/28 16:20:51 ossec-logcollector: ERROR: Could not EvtSubscribe() for (Microsoft-Windows-Windows Defender/Operational) which returned (15001)

I am pointing to the log name outlined in event viewer for the location, using the event channel log format and event id's outlined in Microsoft's documentation https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus

Kind regards,

Jack Porter

[Juan Carlos Tello]

Hello Jack,

I realize this is a rather dated thread but I wanted to provide an answer for those that may land here through their search engine of preference.

In order to collect events from Windows Defenders you may use the following configuration:

    <localfile>
        <location>Microsoft-Windows-Windows Defender/Operational</location>
        <log_format>eventchannel</log_format>
    </localfile>

This will collect all logs from Windows Defender without needing to query for specific events.

I hope this helps you.

Best Regards,

Juan Carlos Tello