If using audit on Agent win_audit.txt [Software Installed] [any] [] r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall;
Alert create every time Agent restart althought dont install software.It's wrong. Using Event View will tracking event source .msi .In Ossec create one local rule . <group name="Install_MSI"> <rule id="100007" level="7"> <if_sid>18101</if_sid> <match>1035</match> <description>Detected Software Install</description> </rule> </group> When you install source application .msi OSSEC will get alert like that ** Alert 1372002658.41135: mail - Install_MSI 2013 Jun 23 22:50:58 (win7) 192.168.2.1->WinEvtLog Rule: 100007 (level 7) -> 'Detected Software Install' User: MrHien WinEvtLog: Application: INFORMATION(1035): MsiInstaller: MrHien: MrHien-PC: MrHien-PC: Log Parser 2.2 2.2.10 1033 0 Microsoft Corporation (NULL) -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
