Exact windows event ID
33 views
Skip to first unread message
banjer
Jan 6, 2012, 8:34:16 AM1/6/12
to ossec-list
Hi, I'm trying to log Windows update events, which in Windows is Event
ID 19. I have had success with this rule:
<rule id="100034" level="1">
<if_sid>18101</if_sid>
<status>^INFORMATION</status>
<id>19</id>
<description>Windows Update successfully installed.</description>
</rule>
OSSEC will now log typical update events such as this:
WinEvtLog: System: INFORMATION(19): Microsoft-Windows-
WindowsUpdateClient: SYSTEM: NT AUTHORITY: myserver.domain.foo.com:
Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista
SP2 and Windows Server 2008 SP2 for x64 (KB2656362) {7ECDE510-
CD10-478B-89EC-1D7B255C3419} 104
However, it also log and informational events with 19 in the event ID,
such as:
WinEvtLog: Application: INFORMATION(3198): MSSQL$CAST: SYSTEM: NT
AUTHORITY: SEDNA.omni.imsweb.com: I/O was resumed on database
castmain60-vt-report_test_updated. No user action is required.
Is it possible to log an event id that is EXACTLY 19? Thanks!
ID 19. I have had success with this rule:
<rule id="100034" level="1">
<if_sid>18101</if_sid>
<status>^INFORMATION</status>
<id>19</id>
<description>Windows Update successfully installed.</description>
</rule>
OSSEC will now log typical update events such as this:
WinEvtLog: System: INFORMATION(19): Microsoft-Windows-
WindowsUpdateClient: SYSTEM: NT AUTHORITY: myserver.domain.foo.com:
Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista
SP2 and Windows Server 2008 SP2 for x64 (KB2656362) {7ECDE510-
CD10-478B-89EC-1D7B255C3419} 104
However, it also log and informational events with 19 in the event ID,
such as:
WinEvtLog: Application: INFORMATION(3198): MSSQL$CAST: SYSTEM: NT
AUTHORITY: SEDNA.omni.imsweb.com: I/O was resumed on database
castmain60-vt-report_test_updated. No user action is required.
Is it possible to log an event id that is EXACTLY 19? Thanks!
dan (ddp)
Jan 6, 2012, 9:15:01 AM1/6/12
to ossec...@googlegroups.com
Try:
<id>^19$</id>
<id>^19$</id>
BP9906
Jan 6, 2012, 1:38:23 PM1/6/12
to ossec-list
Dan is right, I've found that <id>##</id> wont work as well as
<id>^##</id> or <id>^##$</id>.
(## = windows event id)
<id>^##</id> or <id>^##$</id>.
(## = windows event id)
banjer
Jan 9, 2012, 7:50:18 AM1/9/12
to ossec-list
You're right - this did in fact work for me:
<id>^19$</id>
My head wasn't on tight when I was testing before. Thanks guys.
<id>^19$</id>
My head wasn't on tight when I was testing before. Thanks guys.
Reply all
Reply to author
Forward
0 new messages