I'm using OSSEC to trying and monitor services on servers such as Windows Event Log.
I would like to know if a service has stopped or started and get emailed accordingly.
I have tried a rule that alerts on event Id 6006 (The Event log service was stopped).
<rule id="100011" level="10">
<match>INFORMATION(6006)</match>
<options>alert_by_email</options>
<description>The Event log service was stopped.</description>
</rule>
But this didn't fire on the event. So I tried testing the a log in ossec-logtest.
I had to make up the log entry as I was unable to get hold of the log that ossec-analysisd would process from Windows's Event View.
I tried the log in ossec-logtest and it seemed to firing ok.
Input Log:
2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.
Ossec-logtest output:
**Phase 1: Completed pre-decoding.
full event: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.'
hostname: 'CentOS1'
program_name: '(null)'
log: '2014 Sep 18 10:10:54 WinEvtLog: System: INFORMATION(6006): Microsoft-Windows-Eventlog: username: WIN-4HSALJIGG2H: WIN-4HSALJIGG2H: The Event log service was stopped.'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '100011'
Level: '10'
Description: 'The Event log service was stopped.'
**Alert to be generated.
Which has lead me to think that the agents are not sending the log event 6006 to the OSSEC server. I am using the default configuration on the agent, is there anything I'm missing to get event ID 6006 to fire?
