On Thu, Mar 29, 2018 at 9:17 PM, Neeraj Shah <[email protected]> wrote: > Hi all, > > I have configured the win_audit_rcl.txt file on my Windows agent to detect > USB drive as per this URL : > https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ > . It is working as expected. I can see the message "USB Drive detected" > make it to the archive.log file on the OSSEC server. > > What do i need to do next to make this msg display as an ALERT in the Web UI > ? Do we have to create a local_decoder.xml file or do we have to create a > rule in local_rules.xml file ? I am currently using Security Onion which > has OSSEC server preinstalled. >
You'll probably have to create a rule. I don't have a Windows install handy to get a log sample, so not a lot I can do. You can use /var/ossec/bin/ossec-logtest to help create a rule though. > Likewise, similarly i am also getting some windows events forwarded from the > "Power Shell" event group in Windows Event Viewer. I can see these events > make it to the OSSEC server but i need them to show as an ALERT in the web > ui. Won't the prebuilt windows related rules/decoders that come along with > OSSEC. > Create a rule. > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
