[ossec-list] Re: How to change/add drive for monitoring on windows agent - ossec.conf

[dan (ddp)]

Crap, sent this privately instead of to the list.

On Tue, Feb 21, 2012 at 4:57 PM, Love Vish <lov3v...@gmail.com> wrote:
> Hi All,
>
> I want to change/add drive for monitoring on window agent -ossec.conf.
> For example - by default we have below directory for monitoring
>
> <!-- Default files to be monitored - system32 only. -->
>    <directories check_all="yes">%WINDIR%/win.ini</directories>
>    <directories check_all="yes">%WINDIR%/system.ini</directories>
>    <directories check_all="yes">C:\autoexec.bat</directories>
>    <directories check_all="yes">C:\config.sys</directories>
>    <directories check_all="yes">C:\boot.ini</directories>
>    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/at.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/debug.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/net.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/net1.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/reg.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
>    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/runas.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/sc.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/subst.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
> directories>
>   <directories check_all="yes">C:\Documents and Settings/All Users/
> Start Menu/Programs/Startup</directories>
>    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
> ignore>
>
> If i want to monitor my drive D: and  E:abc/xyz  specified directory
> how can i do that?
> Please help me on this.
>
> I am aware that we can add <directories check_all="yes">F:\foo/bar</
> directories>
> Please help me if my syntax is wrong
> and when i restart the ossec agent, i see logs it states
> 2012/02/22 03:15:57 ossec-agent: INFO: Monitoring directory: 'F:\foo/
> bar'.
>
> But the fact is it does not monitor the directory.
>
> for example if you create a file test.txt inside F:\foo/bar directory
> and restart the agent we do not get an event.
>

On Tue, Feb 21, 2012 at 4:57 PM, Love Vish <lov3v...@gmail.com> wrote:
> Hi All,
>
> I want to change/add drive for monitoring on window agent -ossec.conf.
> For example - by default we have below directory for monitoring
>
> <!-- Default files to be monitored - system32 only. -->
>    <directories check_all="yes">%WINDIR%/win.ini</directories>
>    <directories check_all="yes">%WINDIR%/system.ini</directories>
>    <directories check_all="yes">C:\autoexec.bat</directories>
>    <directories check_all="yes">C:\config.sys</directories>
>    <directories check_all="yes">C:\boot.ini</directories>
>    <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/at.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/attrib.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/cacls.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/debug.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drwatson.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/edlin.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/ftp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/net.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/net1.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/netsh.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rcp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/reg.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/regedit.exe</directories>
>    <directories check_all="yes">%WINDIR%/System32/regedt32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rexec.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/rsh.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/runas.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/sc.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/subst.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/telnet.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/tftp.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</
> directories>
>    <directories check_all="yes">%WINDIR%/System32/drivers/etc</
> directories>
>   <directories check_all="yes">C:\Documents and Settings/All Users/
> Start Menu/Programs/Startup</directories>
>    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</
> ignore>
>
> If i want to monitor my drive D: and  E:abc/xyz  specified directory
> how can i do that?
> Please help me on this.
>
> I am aware that we can add <directories check_all="yes">F:\foo/bar</
> directories>
> Please help me if my syntax is wrong
> and when i restart the ossec agent, i see logs it states
> 2012/02/22 03:15:57 ossec-agent: INFO: Monitoring directory: 'F:\foo/
> bar'.
>
> But the fact is it does not monitor the directory.
>
> for example if you create a file test.txt inside F:\foo/bar directory
> and restart the agent we do not get an event.
>

You won't, unless you have the new file alerts option turned on.
Have you tried modifying a file instead?

> and if we add <directories check_all="yes">tera maa ka boka</
> directories>
> thou we get
> 2012/02/22 03:15:57 ossec-agent: INFO: Monitoring directory: 'tera maa
> ka boka'.
>
> Please help
>
>
>