Yes, I did try it once with just "GPExtensions", but that may have been before I realized you needed to restart ossec for it to take effect.
I'll try it again and see what happens. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Thursday, October 14, 2010 6:10 PM To: [email protected] Subject: Re: [ossec-list] Two Questions On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn <[email protected]> wrote: > Hi, > > It doesn't seem to work in Windows with this in the ossec.conf: > > <localfile> > <log_format>full_command</log_format> > <command>netstat -an | find "LISTEN"</command> > </localfile> > > Nothing in the ossec.log to say it's going to monitor this "localfile". > > I'm running 2.4.1 on server and agent. > > What about the registry ignore problem? I've tried to ignore > "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, still >> getting alerts on this from all servers. > > Someone else must have run into this and setup an ignore statement that works? > I'm testing it right now, but have you tried it without the trailing "\{"? I haven't had much of a need to do registry ignores.
