Vào 23:01:17 UTC+7 Chủ nhật, ngày 23 tháng sáu năm 2013, vanhien771354 đã viết: > > If using audit on Agent win_audit.txt > > [Software Installed] [any] [] > r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall; > > Alert create every time Agent restart althought dont install software.It's > wrong. > > Using Event View will tracking event source .msi .In Ossec create one > local rule . > > <group name="Install_MSI"> > <rule id="100007" level="7"> > <if_sid>18101</if_sid> > <match>1035</match> > <description>Detected Software Install</description> > </rule> > </group> > > > When you install source application .msi OSSEC will get alert like that > ** Alert 1372002658.41135: mail - Install_MSI > 2013 Jun 23 22:50:58 (win7) 192.168.2.1->WinEvtLog > Rule: 100007 (level 7) -> 'Detected Software Install' > User: MrHien > WinEvtLog: Application: INFORMATION(1035): MsiInstaller: MrHien: > MrHien-PC: MrHien-PC: Log Parser 2.2 2.2.10 1033 0 Microsoft Corporation > (NULL) >
> Thanks for your help, but i can't find Event View? > After I copy [Software Installed] [any] [] > r:HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall; > > > <https://lh3.googleusercontent.com/-H-UpEg4IsrU/Ucf3sOabeqI/AAAAAAAAAFo/MXi8mthJkLY/s1600/Capture.PNG> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
