Vào 23:40:11 UTC+7 Chủ nhật, ngày 23 tháng sáu năm 2013, Michael Starks đã viết: > > On 06/23/2013 11:01 AM, vanhien771354 wrote: > > > When you install source application .msi OSSEC will get alert like that > > ** Alert 1372002658.41135: mail - Install_MSI > > 2013 Jun 23 22:50:58 (win7) 192.168.2.1->WinEvtLog > > Rule: 100007 (level 7) -> 'Detected Software Install' > > User: MrHien > > WinEvtLog: Application: INFORMATION(1035): MsiInstaller: MrHien: > > MrHien-PC: MrHien-PC: Log Parser 2.2 2.2.10 1033 0 Microsoft Corporation > > (NULL) > > We already have a rule for this, but it looks like maybe there is > another event log ID which needs to be added. Try this: > > <rule id="18147" level="5" overwrite="yes"> > <if_sid>18101</if_sid> > <id>^11707$|^1035$</id> > <options>alert_by_email</options> > <description>Application Installed.</description> > </rule> > > Thanks for your help! I will try > >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
