You'll want to test this yourself.... But you can manage what files are monitored and what registry entries are monitored in the host's config file for the Syscheck. Run the Agent Manger on the host and go to view > config. Then you can just change the configuration file and save it, restart the agent and wait for results.
It seems like it would be possible to put a rule for alerts to changes to HKLM\System. But quite frankly, you're going to be inundated with many alerts that may not be valuable. I've seen evidence of this when performing system comparisons for MSI creation of before/after an installation. Windows makes lots of tiny changes to the registry and the file system, even when it's idle. As for file system monitoring. I think you would be better served by turning on auditing and applying an audit policy to the file system. Set the server to "log all" and then only pull alerts on sensitive areas of your computer. You may find historical value in archiving all the changes to the OSSEC system for future review.... You might also check out Josh Bower's Sysmon 2.0 integration with OSSEC. This can help you monitor executable processes on your windows system.... good stuff! On Friday, May 15, 2015 at 5:15:13 AM UTC-7, Justin Hazard wrote: > > Hey Everyone, > > Huge fan of OSSEC, just got my first implementation up and operational. I > have a few rules that I want to right, just for testing sake. > > What we are looking to do, is to write two separate rules that achieve > similar results, and more specifically we want to know when any change is > created to the registry, or when any file is created/deleted on the host. > > I was looking at what is being monitored currently, and wondering if I put > a rule in place that says notify me when "HKLM\System" changes, ALERT. > > Is this possible? > > I know it seems like a lot of information that would be rolling in, but we > are just trying to see all of what we can do with OSSEC. > > Please let me know if you can assist. > > V/R, > > Justin > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
