On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn
<[email protected]> wrote:
> Hi,
>
> It doesn't seem to work in Windows with this in the ossec.conf:
>
> <localfile>
> <log_format>full_command</log_format>
> <command>netstat -an | find "LISTEN"</command>
> </localfile>
>
> Nothing in the ossec.log to say it's going to monitor this "localfile".
>
> I'm running 2.4.1 on server and agent.
>
> What about the registry ignore problem? I've tried to ignore
> "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, still
>> getting alerts on this from all servers.
>
> Someone else must have run into this and setup an ignore statement that works?
>
I'm testing it right now, but have you tried it without the trailing
"\{"? I haven't had much of a need to do registry ignores.
