No problem. Here is the online manual http://www.ossec.net/doc/syntax/head_ossec_config.localfile.html for <localfile> tag. Keep in mind that * can be used as a wildcard so you could do something like <localfile> <location>c:\temp\*.reg</location> <log_format>syslog</log_format> (Not sure if it's in plaintext) </localfile>
And your OSSEC agent will be monitoring every file that ends in .reg within \temp\. Very useful. Once you get your decoder and rules squared away for what you want alerts on (found in the .reg files), you will have a very happy manager. On Tuesday, August 13, 2013 1:01:51 PM UTC-4, Doug Kelly wrote: > > Thank you David. I had only been looking at the alerts.log and > archives.log for feedback. It didn't occur to me that there were other > great tools to replace what I was doing by hand. Also I will try out your > suggestion from question 2. Thanks again for the feedback. > > Doug > > On Tuesday, August 13, 2013 9:11:48 AM UTC-7, David Blanton wrote: >> >> Hi Doug, >> >> >*Question 1: *Is there a place where I can see the events generated by >> the Agent on the Manager side? >> > - The reason for this question is that the ossec.log file shows >> entries that I can't prove show up as events to the manager. Like the >> following log: >> >> If this is for demonstration purposes, I would look into using the OSSEC >> Web UI. It's a great place to start to show a more holistic view of events >> on the network. >> OSSIM and Splunk are great as well. They have the ability to do custom >> search queries, generate graphs based on network data, and can partition >> servers, events, and data >> based on 'dashboards'. As Michael said, logall would be the best option >> for you right now. >> >> >*Question 2: *I am trying to create a simple demo showing: >> > 1. How a file added to Window's system32 directory >> would generate an alert >> > 2. How modifying an existing or adding a new Registry >> key would generate an alert >> >> I am not too familiar with Windows, but you could always write a decoder, >> and rule to alert this rule. Try using the <localfile> within the >> ossec.conf (or equivalent) file on the Windows agent. >> Monitor the file(s) which registries are logged. You can have several >> <localfile> tags to cover all your paths. Look into writing a decoder that >> will parse through the registries and a rule that >> will fire an alert when it happens. If you can give me the log I would be >> more than happy to help you (give it my best shot). >> >> The syscheck and directories check does have a report_changes and >> real_time, however, report_changes is only available to Unix/Linux-like OS. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
