Hi Dennis,
This is very easy to do with a local rule. You just need to match
based on the policy you added and the agents
you are interested to monitor. Example:
<rule id="100122" level="10">
<if_sid>512</if_sid>
<match>My custom process check</match>
<hostname>agent1|agent2|agent3</hostname>
<description>Windows Audit event test.</description>
<group>rootcheck,</group>
</rule>
If you can show us a sample of the alerts you are getting, we can help
you write a real rule for it...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Nov 2, 2007 9:08 AM, Dennis Borkhus-Veto <[EMAIL PROTECTED]> wrote:
>
> Yes this is in Ossec now, but the windows audit file affects all of the
> Windows agents. I want to watch processes that are not on all of the
> machines so now if I watch say IIS it has to be running on all of the
> windows agents or I will get alerts on it.
>
> Sincerly
> Dennis Borkhus-Veto
> Systems Administrator
> MEE Material Handling L.L.C
>
> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
> On Behalf Of Peter M. Abraham
> Sent: Thursday, November 01, 2007 8:32 PM
> To: ossec-list
> Subject: [ossec-list] Re: Windows Audit
>
>
> Greetings Dennis:
>
> If I understand your question correctly, are you asking to be alerted
> if a process fails or otherwise was running and then stops?
>
> If yes, does the process in question record anything in a log file?
>
> If not in a log file, if you are comfortable scripting, you might be
> able to write something to regularly write the process tree to a file,
> and do a regular expression against the process name that should be
> running; when not present, then alert.
>
> Thank you.
>
>
