On Fri, Oct 15, 2010 at 12:51 PM, Jefferson, Shawn <[email protected]> wrote: > Will that work like that without the type="sregex" ? >
I don't know. :) I don't have to deal with very many Windows machines, so this is experimentation for me. Hopefully I'll get a chance to look into it tonight. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Friday, October 15, 2010 9:24 AM > To: [email protected] > Subject: Re: [ossec-list] Two Questions > > On Fri, Oct 15, 2010 at 12:09 PM, Jefferson, Shawn > <[email protected]> wrote: >> Yes, I did try it once with just "GPExtensions", but that may have been >> before I realized you needed to restart ossec for it to take effect. >> >> I'll try it again and see what happens. >> > > I've setup a couple of ignores on my ossec manager using the full > registry entry up until that last slash. I haven't had a chance to see > if it's working yet. > Example: > <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows > NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore> > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Thursday, October 14, 2010 6:10 PM >> To: [email protected] >> Subject: Re: [ossec-list] Two Questions >> >> On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn >> <[email protected]> wrote: >>> Hi, >>> >>> It doesn't seem to work in Windows with this in the ossec.conf: >>> >>> <localfile> >>> <log_format>full_command</log_format> >>> <command>netstat -an | find "LISTEN"</command> >>> </localfile> >>> >>> Nothing in the ossec.log to say it's going to monitor this "localfile". >>> >>> I'm running 2.4.1 on server and agent. >>> >>> What about the registry ignore problem? I've tried to ignore >>> "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >>>> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, >>>> still getting alerts on this from all servers. >>> >>> Someone else must have run into this and setup an ignore statement that >>> works? >>> >> >> I'm testing it right now, but have you tried it without the trailing >> "\{"? I haven't had much of a need to do registry ignores. >> >
