Dan, This is happening correctly; the OSSEC service is running (by default) as LocalSystem. In the context of the running service, %USERNAME% will therefore be the computername$ string you see.
A logged-in user will have a different environment. Their environment will inherit some global environment settings, but %USERNAME% will be defined differently at the time that they log in. OSSEC does not run in the user's context, it starts before users log in and it runs in its own context. You need to find a different way to specify the directories you are after. On Tuesday, November 18, 2014 6:23:21 PM UTC-5, Dan Schein wrote: > > OS is Windows 7 64-bit, OSSEC client is v2.8 (32 bit) > > Objective -> Monitor the Local Apps directory for each user. > > Added the following line to ossec.conf file: > > *<directories check_all="yes" > realtime="yes">C:\Users/%USERNAME%/AppData/Local/Apps/2.0</directories>* > > Problem is that "%USERNAME%" is being translated into the machine name > with a "$" at the end as shown in log file: > > *ossec-agent: INFO: Monitoring directory: > 'C:\Users/APC-WS112$/AppData/Local/Apps/2.0'.* > > This results in *WARN: Error opening directory*. I suspect this is > related to running a 32-bit app on a 64-bit OS. Any suggestions / help how > to fix this would be greatly appreciated. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
