• Support
  • Forums
  • Blogs

Forwarding Hyper-V events via OSSEC

letstryavletstryav

New Life Form
Hello,

I'm trying to forward Hyper-V windows events. Hyper-V events are located in: 
"Application and Services Logs > Microsoft > Windows > Hyper-V-Worker > Admin"
The problem is that OSSEC uses "-" between different tree levels. For example, if I want OSSEC to forward events in AppID I would write:
"<location>Microsoft-Windows-AppID/Operational</location>"
The "-" is causing problems as you can see, because writing "<location>Microsoft-Windows-Hyper-V-Worker/Admin</location>" won't work because OSSEC will look for "Application and Services Logs > Microsoft > Windows > Hyper > V > Worker > Admin".

Any way to overcome this?

I believe that NXLog will have the same problem.

Thanks.

Share post:

Best Answer

  • Answer ✓
    It turned out that the "-" isn't the problem, it actually was the "/".
    What you need to use is: "<location>Microsoft-Windows-Hyper-V-Worker-Admin</location>" 

    Cheers.
Sign In or Register to comment.