Hi Gary, I am glad you are enjoying ossec so far, rest inline..
On 6/26/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > I want to receive an alert whenever there is software installed on the > Windows 2003 box so I can see if updates etc are installed properly and no > one puts any unauthorised programs on the server. Good idea... Not all programs are going to generate events (specially if they use different installers), but as a policy violation measure it is pretty good. > The Windows Msi installer events are information events seem to all have > Event IDs like: 117xx. I've tried the following to get it working, but no > luck yet. > > In msauth_rules.xml it has the following: > > <rule id="18101" level="0"> > <if_sid>18100</if_sid> > <status>^INFORMATION</status> > <description>Windows informational event.</description> > </rule> > > Since I'm after information events and the level of the above rule is 0, I > figured it would drop the event and go no further, so I put the following > in the local_rules.xml > > > <group name="local,windows,"> > > <rule id="18101" level="1" overwrite="yes"> > <if_sid>18100</if_sid> > <status>^INFORMATION</status> > <description>Windows informational event.</description> > </rule> Sounds correct to me, but you don't need to set the level to 1 in here for your other rule to work. However, for debugging it is good. Are you getting every informational event on /var/ossec/logs/alerts/alerts.log? > <!-- Trying to alert Windows application installations. --> > <rule id="100101" level="8"> > <if_sid>18101</if_sid> > <id>^117</id> > <description>Windows Installation Activity</description> > </rule> > > </group> > > Am I going about this the right way or is there something else I need to > do? Looks like you are doing it correctly. Look at the alerts.log and you should be getting now every windows informational log too. If it is not, try sending a couple of log samples for us to take a look. > Also, when I edit the rules or the configuration files, do I need to > restart the server and/or agent? I've been restarting the server, because > what I understand from the wiki is that the server sends new rules out to > the agents. You only need to restart the server. The agent does no log parsing... > Any help would be much appreciated. > > -GP hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net