Hi,
It doesn't seem to work in Windows with this in the ossec.conf:
<localfile>
<log_format>full_command</log_format>
<command>netstat -an | find "LISTEN"</command>
</localfile>
Nothing in the ossec.log to say it's going to monitor this "localfile".
I'm running 2.4.1 on server and agent.
What about the registry ignore problem? I've tried to ignore "GPExtensions\{"
and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, still
> getting alerts on this from all servers.
Someone else must have run into this and setup an ignore statement that works?
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Wednesday, October 13, 2010 5:00 PM
To: [email protected]
Subject: Re: [ossec-list] Two Questions
On Wed, Oct 13, 2010 at 6:51 PM, Jefferson, Shawn
<[email protected]> wrote:
> First, I have had no luck trying to ignore the following on Windows:
>
> Received From: (SERVER01) 172.16.3.157->syscheck-registry
> Rule: 550 fired (level 7) -> "Integrity checksum changed."
> Portion of the log(s):
>
> Integrity checksum changed for:
> 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}'
>
> No matter what I try to put in the registry ignore line, it always fires.
> I've tried in the agent.conf and the local ossec.conf. Has anyone else had
> this problem? Any suggestions?
>
> Secondly, does the output of a command work on Windows platforms? See the
> blog post here:
> http://www.ossec.net/dcid/?p=198
>
> I'd like to implement this on windows for monitoring open ports, with
> netstat. Do you need active response enabled for this? What version of
> OSSEC supports this feature?
>
It should work on Windows. It's supported in 2.5.1. Looks like it
made the 2.4 release notes as well, so I'm guessing it works there.
