We've had OSSEC up and running for awhile now, and quite often I get a number of email alerts on Windows server registry changes. Have people found these windows registry change alerts to be useful in tracking down and investigating issues that they've found? Every couple months I go through all of the false-positives and create entries to ignore them, but even after I do this, I still continue to keep getting tons of registry changes from the servers (usually when they are updated with Microsoft updates I get tons). Was wondering if there might be a better way to still get registry changes but reduce the amount of false positives that I get.
Thanks. Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 [email protected] http://www.ccis.edu
