Verlag Neue Stadt wrote: > Hello, > > I could imagine that it would be helpful to have recognised if an agent > is beeing terminated > or even deinstalled. > > Is that already possible today?
Hello Verlag, This is possible if you get the events to the server in a way other than through the agent, then analyze the events locally on that server. For example, you can use Snare on a Windows server to send the logs to a syslog server where OSSEC is installed. In OSSEC on the server, you would create a rule to look for the event ID and string associated with uninstalling an application. HTH, Mike
