It shouldn't cause any issues to the agent, besides the warning. Is it crashing after that error?
Thanks, On Fri, Jul 22, 2011 at 7:11 AM, GeorgeY <[email protected]> wrote: > Hi, > > I enabled USB auditing using the guide displayed in the following > link: > http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage > > It seems to be working well. However, I noticed one thing on Win2k > based machines... > The OSSEC service fails to start when it is enabled... > Here is what is shown in the ossec.log on the Win2k machine > > ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM > \CurrentControlSetEnum\USBSTOR'. > > I am guessing Win2k machines do not have this key. However, is there a > way to make it ignore if the key doesn't exist so that the OSSEC > service can continue to start? > > Or do I need to specify another class of OS type in my agent.conf? > i.e. <agent_config os="Windows 2000"> > > Thanks in advance. > George
