I'd try escaping the comma with a backslash. (or perhaps a double backslash?)
-- ScottVR On May 1, 2012, at 5:45 PM, Michael <mkleinpa...@gmail.com> wrote: > So, I'm getting OSSEC running for the company I work for. So far so > good up to the point of monitoring the registry. All the basic ones > are fine, but we have some entries our developers are using commas in > the reg entry names. Basically the registry entry looks like this: > > HKEY_LOCAL_MACHINE\Software\Our Software, Inc\product > HKEY_LOCAL_MACHINE\Software\Wow6432Node\Our Software, Inc\product > > What I would expect to see is this: > 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Ours Software, Inc\product'. > 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Ours Software, Inc\product'. > > The problem is the when I add that hive to the ossec.conf the logs > show this: > 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Ours Software'. > 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: 'Inc > \product'. > 2012/05/01 13:56:01 ossec-agent: INFO: Monitoring registry entry: > 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Ours Software'. > > Notice the 2nd "Inc\product'. is missing too. > > I tried quotes around the whole hive which results in this (again with > the 2nd Inc... missing): > 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: > '"HKEY_LOCAL_MACHINE\Software\Our Software'. > 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: 'Inc > \Product"'. > 2012/05/01 15:24:12 ossec-agent: INFO: Monitoring registry entry: > '"HKEY_LOCAL_MACHINE\Software\Wow6432Node\Our Software"'. > > Any ideas on how to get OSSEC to view these completely?
