Rick, Thanks for the info, it makes sense.
Because OSSEC is running as a service in order to monitor *C:\Users/%USERNAME%/AppData/Local/Apps/2.0* for all users, I need to monitor "C:\Users". Problem is going to be all the chaff alerts from the other directories under C:\Users. On Tuesday, November 18, 2014 6:37:58 PM UTC-5, Rick McClinton wrote: > > Dan, This is happening correctly; the OSSEC service is running (by > default) as LocalSystem. In the context of the running service, %USERNAME% > will therefore be the computername$ string you see. > > A logged-in user will have a different environment. Their environment will > inherit some global environment settings, but %USERNAME% will be defined > differently at the time that they log in. OSSEC does not run in the user's > context, it starts before users log in and it runs in its own context. You > need to find a different way to specify the directories you are after. > > > On Tuesday, November 18, 2014 6:23:21 PM UTC-5, Dan Schein wrote: >> >> OS is Windows 7 64-bit, OSSEC client is v2.8 (32 bit) >> >> Objective -> Monitor the Local Apps directory for each user. >> >> Added the following line to ossec.conf file: >> >> *<directories check_all="yes" >> realtime="yes">C:\Users/%USERNAME%/AppData/Local/Apps/2.0</directories>* >> >> Problem is that "%USERNAME%" is being translated into the machine name >> with a "$" at the end as shown in log file: >> >> *ossec-agent: INFO: Monitoring directory: >> 'C:\Users/APC-WS112$/AppData/Local/Apps/2.0'.* >> >> This results in *WARN: Error opening directory*. I suspect this is >> related to running a 32-bit app on a 64-bit OS. Any suggestions / help how >> to fix this would be greatly appreciated. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
