Here's a good one. I want to monitor access to a specific confidential folder on a Windows 2003 server.
I have enabled auditing for this folder and enabled audit object access. However, by default this appears to also audit access to registry. The result is a very high CPU usage as the OSSEC agent application is always accessing a registry key, causing a security event entry (since it is audited) etc, etc... Seems to be almost in a loop. I've added in: <registry_ignore>HKEY_LOCAL_MACHINE\System\ControlSet001\services\eventl og\security\security</registry_ignore> (which is the key being accessed), but this does not stop the object access event being generated. Any ideas how to prevent the agent accessing the key, or, stop Windows auditing this object? Regards, Walter Wilson ************************************************************************************************************ This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. We only print the emails we really need to
