On Thu, Sep 11, 2014 at 12:05 PM, Macaulay Dias Souza <[email protected]> wrote: > Hi guys, > > I'm testing the FIM of OSSEC. > > My server is a CentOS VM and my only client is a Windows 2008 Datacenter. > > In ossec.conf file windows added checking the following line: > > <- SysCheck - Integrity Checking config. -> > <SysCheck> > > <- Default frequency, every 20 hours. It does not need to be higher > - On most systems and one a day Should be enough. > -> > <frequency> 2 </ frequency> >
That's a ridiculous setting. It's not going to work how you want it to. > <- By default it is disabled. In the Install you must choose > - To enable it. > -> > <disabled> the </ disabled> > > > <- Default files to be Monitored - system32 only. -> > > <check_all directories = "yes" realtime = "yes"> C: \ temp </ > directories> > > <- Windows registry entries to display. -> > <windows_registry> HKEY_LOCAL_MACHINE \ Software \ Classes \ batfile </ > windows_registry> > > I'm Running on CentOS command TAIL -F alerts.log to monitor the alerts that > are being generated. > > However I noticed that some files that are changed in C: / temp are not > shown or else take some time to be shown in the log file and some are shown > paraticamente instantly that unless a change in document > Try turning on the log all option on the manager, then monitor archives.log to see if the changes are being sent to the manager. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
