• Support
  • Forums
  • Blogs

Some Windows event id do not have corresponding event

lapislapis

New Life Form
Hi,

I have a Veritas backup exec that write its logs in Windows event. 

I already installed the OSSEC agent in the server.

How can I verify if the USM can parse the event using the Windows event ID?

If it is not in the default , How do I make the USM appliance to receive those Windows Event ID?

Share post:

Answers

  • lapis,

    The alienvault-hids plugin is configured to collect default windows events, and in such the plugin will not parse custom or third party application events because the matching rules were not written for those logs entries.

    What you will need to do is create a custom plugin, or extend the alienvault-hids plugin in order to parse those events. Optionally, you could consider working with one of our professional service partners if you feel you would prefer assistance with creating this plugin or plugin extension.



    As a side note, you may want to weigh whether the logs you are looking to parse affect risk analysis as adding non-security related logs will introduce noise which could obfuscate security events happening in your environment, and complicate analysis of existing events.
  • Hi Kcoe, 

    Thank you so much for your response.  

    Is there a cfg file do I need to update so I can create an event for the other windows event id?

    I found a similar question here in community

    I do not plan to enable all windows event log to be send , just the event that I need.

    Regards,
    Stephen



Sign In or Register to comment.