AD Event log for Google Password Sync Tool

32 views
Skip to first unread message

Daniel De Jesus

unread,
Dec 17, 2025, 4:33:21 PM12/17/25
to Wazuh | Mailing List
Hello,

I am using Google Password sync tool for Active Directory. The tool adds the event logs under Applications and Service Logs > Google.

I would like to Wazuh to collect these particular events because it provides more information on whether the password was succesfully synced to Google.

I browsed the documentation and it said you can add an entry into the ossec_config of the manager settings for a local block. Here's what I have added:

<localfile>
    <log_format>eventchannel</log_format>
    <location>C:\Windows\System32\Winevt\Logs\Google.evtx</location>
  </localfile>

Is this correct for this particular use case? Can I check to verify if is working with filebeat? Thanks for any insight you can provide on this.

Erick Eduardo Badilla Valverde

unread,
Dec 17, 2025, 10:46:09 PM12/17/25
to Wazuh | Mailing List
Hello Daniel, 

Using the <localfile> block is correct, however, there are two small adjustments I wanted to clarify, which are needed to make it work properly:

  1. For the eventchannel format, Wazuh expects the "Channel Name", not the file path itself. You should change "<location>C:\Windows\...\Google.evtx</location>" to "<location>Google</location>" (check that the "Channel Name" is the same as how it is listed in the Event Viewer properties for those logs).

  2. Ensure this configuration is placed in the ossec.conf of the Wazuh Agent installed on the Windows server, rather than the Wazuh Manager.

About verifying the configuration using Filebeat, I wanted to point out that Filebeat handles the transport of alerts from the Manager to the Dashboard, so it won't help you verify the ingestion on the Windows side. Instead, I recommend enabling the archives.log on your Wazuh Manager. This will allow you to see the raw events coming in from the agent in real-time to confirm the connection is active and the logs are being processed correctly. You can find more information about localfile configuration and enabling the archives.log below: 

Local configuration (ossec.conf) | Wazuh Agent

Enabling archiving | Wazuh Manager 


Regards, 
Erick B

Daniel De Jesus

unread,
Jan 7, 2026, 12:14:28 AM (4 days ago) Jan 7
to Erick Eduardo Badilla Valverde, Wazuh | Mailing List
Hello Erick,

I'm revisiting this issue for collecting log events in wazuh. I modified the ossec.conf files for each of our DCs that run the Google password sync tool but I don't think it is capturing any events.

I've add this block:

  <localfile>
    <location>Google</location>
    <log_format>eventchannel</log_format>
  </localfile>

The specific event ID is 514. I am unable to find any via query. Any thoughts? Thanks in advance.

Screenshot 2026-01-06 at 12.11.31 PM.png
> --
> You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6vbQaAEWoJQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/wazuh/3f567fd2-165a-4d07-b1f3-a44ae237c2e9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages