Re: [ossec-list] Windows active response not firing

Bhaskar, Since you are looking to forward a log file which is local on the Windows ossec client & not on the Sophos EM server, you can just use attribute as cited below from ossec documentation. Change the location & name as needed. C:\Windows\app\log-%y-%m-%d.log syslog On Sat,

Re: [ossec-list] Re: Is a local_decoder.xml needed for USB detection ?

Thank you Jacob. Appreciate your help. On Thu, Apr 5, 2018 at 7:29 AM, Jacob Mcgrath wrote: > I have not tested on AD controlled Windows 10 as of yet > > He is mine its script base and tails from the sid 530 > https://groups.google.com/forum/#!searchin/ossec-list/

Re: [ossec-list] Windows agent.conf not found & syncing issues

Onion is on 2.8.x while my client agent is on v 2.9.2 . Can that be an issue ? Sorry for the duplicate threads regards this error. Please delete the other ones. On Thursday, March 29, 2018 at 4:56:05 PM UTC-4, dan (ddpbsd) wrote: > > > > On Thu, Mar 29, 2018, 4:44 PM Neeraj

Re: [ossec-list] Discrepancy in instructions related to location of agent.conf

Hi Dan i am using Ossec. On Thursday, March 29, 2018 at 4:52:57 PM UTC-4, dan (ddpbsd) wrote: > > > > On Thu, Mar 29, 2018, 4:36 PM Neeraj Shah <neeraj...@gmail.com > > wrote: > >> Hello All, >> >> I see some discrepancies with regards to location

[ossec-list] Discrepancy in instructions related to location of agent.conf

Hello All, I see some discrepancies with regards to location of agent.conf file on the OSSEC server. As per OSSEC official doc, https://ossec-docs.readthedocs.io/en/latest/manual/agent/agent-configuration.html we need to create agent.conf under "/var/ossec/etc/shared/agent.conf ". However,

[ossec-list] Windows agent.conf not found & syncing issues

Hello All, Need some help. I am trying out ossec with Security Onion. The ossec server comes preinstalled in Security Onion. I am now trying the agent piece. I installed the v2.9.2 latest version agent on one of my Windows client pc's, did the initial config and restarted the agent. From the

[ossec-list] New 2.9.3 install: Windows shared/agent.conf file not created & syncing

Hello All, I am trying out Ossec with Security Onion. I manually installed the ossec windows agent (v.2.9.3) on one of my Windows client pc, did the necessary config and restarted the service. From the Ossec server, the agent ID shows connected. So far so good. Now for centralized agent

[ossec-list] New install: Windows agent.conf doesn't get auto created

Hello All, Need some help. I am trying out ossec with Security Onion. The ossec server comes preinstalled in Security Onion. I am now trying the agent piece. I installed the v2.9.2 latest version agent on one of my Windows client pc's, did the initial config and restarted the agent. From the

[ossec-list] Is a local_decoder.xml needed for USB detection ?

Hi all, I have configured the win_audit_rcl.txt file on my Windows agent to detect USB drive as per this URL : https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ . It is working as expected. I can see the message "USB Drive detected" make it to the archive.log file

Re: [ossec-list] Is a local_decoder.xml needed for USB detection ?

> > Hi Dan, I went ahead created both, a local_decoder and a corresponding > rule in local_rules.xml. I then ran the "/var/ossec/bin/ossec-logtest " > command against my log lines, and it passed the test. The output showed > Decoder matched and "Alert to be generated" message as shown