Hello,
I recently noticed that in my current configuration ossec.conf file, the eventID's below are being ignored.
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
In the local ossec.config article on the Wazuh site, only two event IDs are being ignored:
<!-- For monitoring Windows eventchannel -->
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<only-future-events>yes</only-future-events>
<query>Event/System[EventID != 5145 and EventID != 5156]</query>
<reconnect_time>10s</reconnect_time>
</localfile>
Why is there a difference between my current configuration and the configuration in the documentation? I made no changes to the file. Should I be ignoring the event ID's in my current configuration? Is that the default install? Or is that the default install that I need to modify?
What, if anything, do you recommend I should ignore?