I am having trouble getting windows registry monitoring to work. Details
follow:
Server and client version is 2.7.1
I verified that the agent and server have the same agent.conf information:
agent_control -i 002
Operating system: Microsoft Windows Server 2003, Standard
Edition Serv..
Client version: OSSEC HIDS v2.7.1 /
a9b8b04566d8fd5209201768027150d1
On the server, md5sum agent.conf is
a9b8b04566d8fd5209201768027150d1
The registry line in agent.conf is :
<windows_registry>\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</windows_registry>
The agent.conf does not have a syntax error:
verify-agent-conf
verify-agent-conf: Verifying [/apps/ossec/etc/shared/agent.conf].
Ran syscheck on the client.
On client, run regedit and add a key to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentVersion\Run and called it
ossec-test.
Ran syscheck again but get no report on the change
syscheck_control -i 002 - no registry changes reported.
I monitor the ossec logs on the client and see that syscheck is running as
expected. I have run out of ideas on what else to check, does anyone have
any suggestions ?
thanks in advance
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
