Yes this is in Ossec now, but the windows audit file affects all of the Windows agents. I want to watch processes that are not on all of the machines so now if I watch say IIS it has to be running on all of the windows agents or I will get alerts on it.
Sincerly Dennis Borkhus-Veto Systems Administrator MEE Material Handling L.L.C -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Peter M. Abraham Sent: Thursday, November 01, 2007 8:32 PM To: ossec-list Subject: [ossec-list] Re: Windows Audit Greetings Dennis: If I understand your question correctly, are you asking to be alerted if a process fails or otherwise was running and then stops? If yes, does the process in question record anything in a log file? If not in a log file, if you are comfortable scripting, you might be able to write something to regularly write the process tree to a file, and do a regular expression against the process name that should be running; when not present, then alert. Thank you.
