How to configure ossec.conf in windows agent for directory/file monitoring

Support/Development for OSSEC
krpiyush
New Forum User
New Forum User
Posts: 3
Joined: Mon Jul 05, 2021 6:39 am

How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by krpiyush »

Can anyone help me with how to configure ossec.conf in windows agent so that we can add a file or directory to be monitor.
for e.g: I want to monitor all the changes in the E drive.

i tried this,using this syntax <directories check_all="yes">E:\.</directories> but no-luck.

Thanks much.
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 24
Joined: Fri Oct 09, 2020 9:41 am

Re: How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by cponton »

<directories check_all="yes">E:\.</directories>

The \ should be a / so can you give that a try please?

<directories check all="yes">e:/<directories>
krpiyush
New Forum User
New Forum User
Posts: 3
Joined: Mon Jul 05, 2021 6:39 am

Re: How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by krpiyush »

Hi, Cponton,

I tried the suggested syntax still, not working. It not even showing the changes for the default directory, not sure but It only shows the changes for the REGISTRY like below only.

+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4133
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by mikeshinn »

Whats your process for testing the agent?
krpiyush
New Forum User
New Forum User
Posts: 3
Joined: Mon Jul 05, 2021 6:39 am

Re: How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by krpiyush »

Hi Mikeshinn,

For testing the agent in the windows machine, I tried to change the content of the file(which is added for the monitoring) by writing into it or deleting some content from it.

It is working fine in the Linux-based machine.

Mikeshinn, It is very helpful, if you can tell us, is this(file/directory monitoring) feature supported by the Windows OSSEC agent ??
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8349
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: How to configure ossec.conf in windows agent for directory/file monitoring

Unread post by scott »

Yeah, works just fine on Windows, will detect and report changes in real time on windows for files and registries
Post Reply