Windows Event Channel monitoring in OSSEC is the modern version of Event Log, and unlike this, Event Channel allows you to make queries in order to filter events. In this case we will configure OSSEC to monitor events that log when the Windows Firewall has been started or stopped, and when a rule has been created, modified or removed.

Identifying Windows Firewall events

  • ID 2003: The firewall was activated for a profile.
  • ID 2004: A new rule was created.
  • ID 2005: A rule was modified.
  • ID 2006: A rule was […]