Hi Dennis, This is very easy to do with a local rule. You just need to match based on the policy you added and the agents you are interested to monitor. Example:
<rule id="100122" level="10"> <if_sid>512</if_sid> <match>My custom process check</match> <hostname>agent1|agent2|agent3</hostname> <description>Windows Audit event test.</description> <group>rootcheck,</group> </rule> If you can show us a sample of the alerts you are getting, we can help you write a real rule for it... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Nov 2, 2007 9:08 AM, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote: > > Yes this is in Ossec now, but the windows audit file affects all of the > Windows agents. I want to watch processes that are not on all of the > machines so now if I watch say IIS it has to be running on all of the > windows agents or I will get alerts on it. > > Sincerly > Dennis Borkhus-Veto > Systems Administrator > MEE Material Handling L.L.C > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED] > On Behalf Of Peter M. Abraham > Sent: Thursday, November 01, 2007 8:32 PM > To: ossec-list > Subject: [ossec-list] Re: Windows Audit > > > Greetings Dennis: > > If I understand your question correctly, are you asking to be alerted > if a process fails or otherwise was running and then stops? > > If yes, does the process in question record anything in a log file? > > If not in a log file, if you are comfortable scripting, you might be > able to write something to regularly write the process tree to a file, > and do a regular expression against the process name that should be > running; when not present, then alert. > > Thank you. > >