add eventchannel support for ossec agent on windows vista or greater #28
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request adds a new feature to the windows agent, to be able to monitor "Application and Services Logs" that appeared with Windows Vista. This is not currently possible (OSSEC will read the "Applications" eventlog instead).
Previous discussions on this topic:
For example, we can now monitor the "Microsoft-Windows-PrintService/Operational" eventlog with this config:
By default, OSSEC will keep track of where it was before stopping, which means that it will read (at start time) all events that occured between stop and start in order not to miss any event. However, you can cancel this behaviour with the "only-future-events" parameter:
You can also use an XPATH query if you are not interrested in all the events (see the event schema to construct queries: http://msdn.microsoft.com/en-us/library/windows/desktop/aa385201%28v=vs.85%29.aspx):
With this config, OSSEC will only receive events from the "System" eventlog that have an event ID equal to 7040.
Few things to note:
Note: replaces PR 27 (contained two many commits for an unknown reason ...)