Hi Doug, >*Question 1: *Is there a place where I can see the events generated by the Agent on the Manager side? > - The reason for this question is that the ossec.log file shows entries that I can't prove show up as events to the manager. Like the following log:
If this is for demonstration purposes, I would look into using the OSSEC Web UI. It's a great place to start to show a more holistic view of events on the network. OSSIM and Splunk are great as well. They have the ability to do custom search queries, generate graphs based on network data, and can partition servers, events, and data based on 'dashboards'. As Michael said, logall would be the best option for you right now. >*Question 2: *I am trying to create a simple demo showing: > 1. How a file added to Window's system32 directory would generate an alert > 2. How modifying an existing or adding a new Registry key would generate an alert I am not too familiar with Windows, but you could always write a decoder, and rule to alert this rule. Try using the <localfile> within the ossec.conf (or equivalent) file on the Windows agent. Monitor the file(s) which registries are logged. You can have several <localfile> tags to cover all your paths. Look into writing a decoder that will parse through the registries and a rule that will fire an alert when it happens. If you can give me the log I would be more than happy to help you (give it my best shot). The syscheck and directories check does have a report_changes and real_time, however, report_changes is only available to Unix/Linux-like OS. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
