On Thu, Jun 21, 2012 at 9:44 AM, sahil sharma <[email protected]> wrote: >> >> ossec.conf or agent.conf depending on how you want to do it. I'll make >> sure this is mentioned earlier in the documentation. >> > I am working on ubuntu server and I have a window client. I want to > get log whenever someone inserts USB to the client system. When do > we use ossec.conf OR agent.conf to add new definitions? How choose > between them? >
This is for configuration changes, not rules: Your choice. If you want to use the agent.conf change it there. If you have a good change management system, changing the ossec.conf might be good enough. The OSSEC server does not use the agent.conf though, so if you're setting up something for the OSSEC server it'll have to be in that system's ossec.conf. > > >> >> >> And you've restarted the agent's ossec processes? >> > Yes, after adding the code, I restarted the server -restart and also the > client ossec agent. I checked, ossec.agent with the added rule was > pushed automatically. Then, I inserted USB into the windows client. > But there was no LOG for USB detection or no such message in the Web > Interface. The rule won't be pushed to the agents. The /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to date on the agent (if it's Windows it's probably c:\program files\ossec\shared\agent.conf or something). > > Though web interface was showing alerts whenever I logged-in s > successfully to the windows client (it shows they are connected propely). > > Do you have email alerts enabled? I not, check the alerts.log file on the server. I don't trust the WUI. > >> >> > (2)Added following to the local rules: >> > >> > <rule id="140125" level="7"> >> > <if_sid>530</if_sid> >> > <match>ossec: output: 'reg QUERY</match> >> > <check_diff /> >> > <description>New USB device connected</description> >> > </rule> >> > In order to check_diff the log message will have to have fired at least once before. So if the reg command hadn't been checked before you inserted the USB drive nothing would happen. You can enable the log all option on the OSSEC server, and check for the reg log entries. That will give you something to make sure your <match> statement is correct (I use aliases for my commands, so I don't know what they show up as without the alias). >> > >> > Main problem: I got no GROUP NAME for this rule so I added this rule >> > inside >> > the predefined group >> > <group name="local,syslog,">. Is it right thing to do? >> >> Did you try it without putting it inside of those group tags? >> Yes, it's fine. >> >> > OR i need to place it somewhere else in this file. Please help. >> > >> > Kindly tell if I need to make any other change too. >> > >> > > Yes I tried it putting outside them, It gives ERROR when I put the -restart > command in the terminal. > > I thought, it was due to missing group name, then I gave it > an arbitrary group > name > >> >> <group name="USB"> > <rule id="140125" level="7"> >> <if_sid>530</if_sid> >> <match>ossec: output: 'reg QUERY</match> >> <check_diff /> >> <description>New USB device connected</description> >> </rule> >></group> > > Then there was no error, but again no such event was detected even after the > restart. > > Please help.
