On Wed, Jun 4, 2014 at 4:26 PM, pmsearle90 <[email protected]> wrote: > I have worked with OSSEC in the past and taken over in the last three months > our OSSEC infrastructure, so have mercy... > > I am following up after reading this thread and trying to implement USB > thumb drive insertion monitoring : > > > https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion > > > and trying to follow the 2.7.1 documentation from Daniel Cid on USB storage > detection example for using the <check_diff /> feature: > > > http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage > > > I do not get the server to add the directory to the "/diff/" subdirectory: > > > Next create a local rule for that command: > > <rule id="140125" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'reg QUERY</match> > <check_diff /> > <description>New USB device connected</description> > </rule> > > Now after a few minutes you will see a directory at > /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of > this command > > > I get the following excerpt on my client side log (from service restart) and > then nothing on my alert log on the server: > > > 2014/06/04 13:10:11 ossec-agent: Exiting... > 2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from the > manager. Ignoring it on the agent.conf > 2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at > 'shared/agent.conf'. Exiting. > 2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. > Exiting. > 2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication keys > file. > 2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent > AZS1901RG03: '99746:8391'. > 2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371 > 2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server > (10.1.16.26:1514). > 2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 . > 2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread. > 2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924). > > Thanks for any help in advance, > Paul >
What's the question? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
