On Sat, Oct 16, 2010 at 1:52 PM, dan (ddp) <[email protected]> wrote: > On Fri, Oct 15, 2010 at 12:59 PM, dan (ddp) <[email protected]> wrote: >> On Fri, Oct 15, 2010 at 12:51 PM, Jefferson, Shawn >> <[email protected]> wrote: >>> Will that work like that without the type="sregex" ? >>> >> >> I don't know. :) I don't have to deal with very many Windows machines, >> so this is experimentation for me. >> Hopefully I'll get a chance to look into it tonight. >> > > I just got an alert for one of the registry entries I tried ignoring > (using the sregex). Trying something else now I guess. >
Oops, that one was commented out. False alarm. >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Friday, October 15, 2010 9:24 AM >>> To: [email protected] >>> Subject: Re: [ossec-list] Two Questions >>> >>> On Fri, Oct 15, 2010 at 12:09 PM, Jefferson, Shawn >>> <[email protected]> wrote: >>>> Yes, I did try it once with just "GPExtensions", but that may have been >>>> before I realized you needed to restart ossec for it to take effect. >>>> >>>> I'll try it again and see what happens. >>>> >>> >>> I've setup a couple of ignores on my ossec manager using the full >>> registry entry up until that last slash. I haven't had a chance to see >>> if it's working yet. >>> Example: >>> <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >>> NT\CurrentVersion\Winlogon\GPExtensions</registry_ignore> >>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Thursday, October 14, 2010 6:10 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] Two Questions >>>> >>>> On Thu, Oct 14, 2010 at 4:02 PM, Jefferson, Shawn >>>> <[email protected]> wrote: >>>>> Hi, >>>>> >>>>> It doesn't seem to work in Windows with this in the ossec.conf: >>>>> >>>>> <localfile> >>>>> <log_format>full_command</log_format> >>>>> <command>netstat -an | find "LISTEN"</command> >>>>> </localfile> >>>>> >>>>> Nothing in the ossec.log to say it's going to monitor this "localfile". >>>>> >>>>> I'm running 2.4.1 on server and agent. >>>>> >>>>> What about the registry ignore problem? I've tried to ignore >>>>> "GPExtensions\{" and the "^'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows >>>>>> NT\CurrentVersion\Winlogon\GPExtensions\{" and neither one has worked, >>>>>> still getting alerts on this from all servers. >>>>> >>>>> Someone else must have run into this and setup an ignore statement that >>>>> works? >>>>> >>>> >>>> I'm testing it right now, but have you tried it without the trailing >>>> "\{"? I haven't had much of a need to do registry ignores. >>>> >>> >> >
