Can you post the <rule id=100004> you wrote? On Friday, 21 June 2013 13:45:37 UTC+5:30, vanhien771354 wrote: > > Im using audit to detect USB in file *win_audit_rcl.txt*: > > [USB Storage Inserted] [any] [] > r:HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum -> Count -> !0; > > Im enable option logall.In file /var/ossec/log/archive/archive.log .Im sure > log come like that > > 2013 Jun 21 14:57:32 (win7) 192.168.2.1->rootcheck Windows Audit: USB Storage > Inserted. > > I Create decoder .and test > # /var/ossec/bin/ossec-logtest > 2013/06/21 15:11:39 ossec-testrule: INFO: Reading local decoder file. > 2013/06/21 15:11:39 ossec-testrule: INFO: Started (pid: 16050). > ossec-testrule: Type one log per line. > > 2013 Jun 21 14:57:32 (win7) 192.168.2.1->rootcheck Windows Audit: USB > Storage Inserted. > > > **Phase 1: Completed pre-decoding. > full event: '2013 Jun 21 14:57:32 (win7) 192.168.2.1->rootcheck > Windows Audit: USB Storage Inserted.' > hostname: 'localhost' > program_name: '(null)' > log: '2013 Jun 21 14:57:32 (win7) 192.168.2.1->rootcheck Windows > Audit: USB Storage Inserted.' > > **Phase 2: Completed decoding. > decoder: 'USB_Audit' > extra_data: 'USB' > > **Phase 3: Completed filtering (rules). > Rule id: '100004' > Level: '7' > Description: 'Detected USB Storage' > **Alert to be generated. > > I restart Agent.and insert USB .Log come > > ** Alert 1371801452.12814: - ossec,rootcheck, > 2013 Jun 21 14:57:32 (win7) 192.168.2.1->rootcheck > Rule: 512 (level 3) -> 'Windows Audit event.' > Windows Audit: USB Storage Inserted. > > Why ossec not match rule 100004?? What wrong . I try restart Agent again > and insert USB ,no alert about USB. > > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
