On Fri, Oct 15, 2010 at 12:51 PM, Jefferson, Shawn
<[email protected]> wrote:
> Will that work like that without the type="sregex" ?
>

I don't know. :) I don't have to deal with very many Windows machines,
so this is experimentation for me.
Hopefully I'll get a chance to look into it tonight.

> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On 
> Behalf Of dan (ddp)
> Sent: Friday, October 15, 2010 9:24 AM
> To: [email protected]
> Subject: Re: [ossec-list] Two Questions
>
> On Fri, Oct 15, 2010 at 12:09 PM, Jefferson, Shawn
> <[email protected]> wrote:
>> Yes, I did try it once with just "GPExtensions", but that may have been 
>> before I realized you needed to restart ossec for it to take effect.
>>
>> I'll try it again and see what happens.
>>
>
> I've setup a couple of ignores on my ossec manager using the full
> registry entry up until that last slash. I haven't had a chance to see
> if it's working yet.
> Example:
> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore>
>
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]] On 
>> Behalf Of dan (ddp)
>> Sent: Thursday, October 14, 2010 6:10 PM
>> To: [email protected]
>> Subject: Re: [ossec-list] Two Questions
>>
>> On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn
>> <[email protected]> wrote:
>>> Hi,
>>>
>>> It doesn't seem to work in Windows with this in the ossec.conf:
>>>
>>> <localfile>
>>>    <log_format>full_command</log_format>
>>>    <command>netstat -an | find "LISTEN"</command>
>>> </localfile>
>>>
>>> Nothing in the ossec.log to say it's going to monitor this "localfile".
>>>
>>> I'm running 2.4.1 on server and agent.
>>>
>>> What about the registry ignore problem?  I've tried to ignore 
>>> "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>>>> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, 
>>>> still getting alerts on this from all servers.
>>>
>>> Someone else must have run into this and setup an ignore statement that 
>>> works?
>>>
>>
>> I'm testing it right now, but have you tried it without the trailing
>> "\{"? I haven't had much of a need to do registry ignores.
>>
>

Reply via email to