The last OSSEC release made all registry changes drop below the default
email threshold, even useful ones like this. Add something to
local_rules.xml to selectively elevate the Level, like this:
<rule id="110000" level="10">
<if_sid>594</if_sid>
<match>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</match>
<description>A change has been made to the software that
automatically runs at startup.</description>
</rule>
From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
Behalf Of Ruwan Geeganage
Sent: Wednesday, May 01, 2013 8:05 AM
To: ossec-list@googlegroups.com
Subject: [ossec-list] OSSEC windows agent - Registry modification alerts
have installed OSSEC agent in my windows PC.
I want to get alerts when any program or person add new entries to following
registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I check the ossec.conf in windows agent. It has the particular entry. But Im
not getting any real time alerts.
Please help
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
