AD Event log for Google Password Sync Tool

20 views
Skip to first unread message

Daniel De Jesus

unread,
Dec 17, 2025, 4:33:21 PM (3 days ago) Dec 17
to Wazuh | Mailing List
Hello,

I am using Google Password sync tool for Active Directory. The tool adds the event logs under Applications and Service Logs > Google.

I would like to Wazuh to collect these particular events because it provides more information on whether the password was succesfully synced to Google.

I browsed the documentation and it said you can add an entry into the ossec_config of the manager settings for a local block. Here's what I have added:

<localfile>
    <log_format>eventchannel</log_format>
    <location>C:\Windows\System32\Winevt\Logs\Google.evtx</location>
  </localfile>

Is this correct for this particular use case? Can I check to verify if is working with filebeat? Thanks for any insight you can provide on this.

Erick Eduardo Badilla Valverde

unread,
Dec 17, 2025, 10:46:09 PM (2 days ago) Dec 17
to Wazuh | Mailing List
Hello Daniel, 

Using the <localfile> block is correct, however, there are two small adjustments I wanted to clarify, which are needed to make it work properly:

  1. For the eventchannel format, Wazuh expects the "Channel Name", not the file path itself. You should change "<location>C:\Windows\...\Google.evtx</location>" to "<location>Google</location>" (check that the "Channel Name" is the same as how it is listed in the Event Viewer properties for those logs).

  2. Ensure this configuration is placed in the ossec.conf of the Wazuh Agent installed on the Windows server, rather than the Wazuh Manager.

About verifying the configuration using Filebeat, I wanted to point out that Filebeat handles the transport of alerts from the Manager to the Dashboard, so it won't help you verify the ingestion on the Windows side. Instead, I recommend enabling the archives.log on your Wazuh Manager. This will allow you to see the raw events coming in from the agent in real-time to confirm the connection is active and the logs are being processed correctly. You can find more information about localfile configuration and enabling the archives.log below: 

Local configuration (ossec.conf) | Wazuh Agent

Enabling archiving | Wazuh Manager 


Regards, 
Erick B
Reply all
Reply to author
Forward
0 new messages