Sorry, anyways its ok. Thanks for the help.
Bye! On Wed, Jun 27, 2012 at 12:09 AM, dan (ddp) <[email protected]> wrote: > This will be my last email in this thread. I'm not interested in > trying to help someone who is making that task as difficult as > possible. You are unwilling to troubleshoot or apply any thought to > the problem, or help me help you fix the problem. > > Good luck! > > On Tue, Jun 26, 2012 at 2:32 PM, sahil sharma <[email protected]> > wrote: > > Ok, I guess you are very right. I guess I am a bit confused of > terminology, > > now getting step by step. > > > > All I have is : > > 1) a central sever: ubuntu virtual machine. > > 2)a client : windows > > > > I want to: > > 1)Detect when someone inserts USB into the client system. > > ---->I am badly confused where to make changes to implement this. > > ----> I have 3 places :- > > (1) On client's ossec itself: C/Prog file(x86)>ossec>ossec > > config : Seems to be bad option to add instruction at a client which > itself > > has to be > > monitored. > So I > > guess its wrong and once I add anythig to this file, I am unable to > > START/RESTART agent at win. > > I have answered this. The changes need to be made in the agent's > ossec.conf. There should be no confusion at this point. > > > (2) ossec at server: var/ossec (don't remember exact path). > > Adding changing to this, restarting the server I see no USB alert. > > > > Sorry, but I don't know why its not working, if you say I can attach the > > exact files where I have made the changes. > > > > I told you what I would have needed to help you. Hopefully someone > else with more patience will be willing to do the job of your > administrator. > > > Would be a great help. > > > > On Tue, Jun 26, 2012 at 4:02 PM, dan (ddp) <[email protected]> wrote: > >> > >> > >> On Jun 26, 2012 6:30 AM, "sahil sharma" <[email protected]> > wrote: > >> > > >> > Hi > >> > > >> > When I change config at client side, the OSSEC Agent Manager at > client's > >> > status is always :stopped. > >> > I tried re-installing, restarting it numerous times. > >> > > >> > Please help. > >> > > >> > >> How? You didn't provide the error messages or configuration. Without > those > >> 2 things all I can do to help is tell you to fix your configuration. > >> > >> Why are you making this so difficult? > >> > >> > On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> > >> >> On Jun 24, 2012 3:36 PM, "sahil sharma" <[email protected]> > >> >> wrote: > >> >> > > >> >> > > >> >> > > >> >> > On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) <[email protected]> > wrote: > >> >> >> > >> >> >> > >> >> >> On Jun 22, 2012 6:16 AM, "sahil sharma" < > [email protected]> > >> >> >> wrote: > >> >> >> >> > >> >> >> >> > >> >> >> >> This is for configuration changes, not rules: > >> >> >> >> Your choice. If you want to use the agent.conf change it there. > >> >> >> >> If you > >> >> >> >> have a good change management system, changing the ossec.conf > >> >> >> >> might be > >> >> >> >> good enough. > >> >> >> >> > >> >> >> >> The OSSEC server does not use the agent.conf though, so if > you're > >> >> >> >> setting up something for the OSSEC server it'll have to be in > >> >> >> >> that > >> >> >> >> system's ossec.conf. > >> >> >> >> > >> >> >> > > >> >> >> > (1) I have added following code to > >> >> >> > >var>ossec>etc>shared>agent.conf > >> >> >> > > >> >> >> > >> >> >> As is documented in the full_command documentation, this has to go > >> >> >> in the agent's ossec.conf. I apologize, I forgot about this > restriction. > >> >> > > >> >> > > >> >> > Please, clarify on this, I have to add the following code in > agent's > >> >> > ossec.conf i.e I have a win7 agent so I must add it to > >> >> > >c>prog_files(x86)>ossec>ossec(config) ???? If yes, then do I > need to put > >> >> > <agent_config os="Windows"> at start or not? > >> >> > > >> >> > >> >> I guess that's the file. I don't do much with Windows. You do not > need > >> >> to add thar, since this isn't the agent.conf > >> >> > >> >> > 1) Do I need to remove this code from > >> >> > >var>ossec>etc>shared>agent.conf where I had previously added it? > >> >> > >> >> There's no good reason to have it there. > >> >> > >> >> > 2) Changing config at client side gives unusual problem in client's > >> >> > ossec agent which then display (check config:warning) when I > >> >> > try to start/stop/restart the client ossec agent. > >> >> > >> >> What did you add? Where did you add it? Cryptically telling me you > got > >> >> an error doesn't do anyone any good. Maybe you should consult a > sysadmin, or > >> >> someone else with technical skills. > >> >> > >> >> > 3) Whats diff in adding in these two different files? > >> >> >> > >> >> >> > <agent_config os="Windows"> > >> >> >> > > >> >> >> > <localfile> > >> >> >> > <log_format>full_command</log_format> > >> >> >> > <command>reg QUERY > >> >> >> > HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > >> >> >> > <alias>usb-check</alias> > >> >> >> > </localfile> > >> >> >> > > >> >> >> > </agent_config> > >> >> > > >> >> > > >> >> >> > >> >> >> Regards,Sahil. > >> >> > > >> >> > > >> > > >> > > > > > >
