Setting log levels in OSSEC to be collected in Windows.

[ocerna0721]

Hello, Wazuh community,

This time, I bring the following question:
I have created the following configurations for the <localfile> modules for Windows. The modules are Security, Application, and System. Here's the code:

<localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

    <query>

        Event[System[EventID] and (Level != 4 and Level != 0)]

    </query>

  </localfile>

<localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event[System[not(EventID = 5145 or EventID = 5156 or EventID = 5447 or

      EventID = 4656 or EventID = 4658 or EventID = 4663 or EventID = 4660 or

      EventID = 4670 or EventID = 4690 or EventID = 4703 or EventID = 4907 or

      EventID = 5152 or EventID = 5157) and not(Level = 4 or Level = 0)]]</query>

  </localfile>

<localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

    <query>

        Event[System[EventID] and (Level != 4 and Level != 0)]

    </query>

  </localfile>

What I'm trying to do is to have it send me all EventIDs that are different from levels 4 and 0. In my configuration, I don't need to receive Windows EventIDs that are informational. I only want to receive critical, error, warning, and verbose EventIDs.

After applying the query, I have been monitoring and testing to generate alerts for these three mentioned types, but they are not being sent to the Wazuh server. Is it possible that there is an error in the query?

[Mauricio Ruben Santillan]

Hello!

Thanks for being part of the Wazuh community!

This same question has been made here: https://wazuh.slack.com/archives/C0A933R8E/p1697650288127899

Please follow it up there.

Thank you!

[ocerna0721]

Thank you for the information.