/var/ossec/queue/diff remains empty

Support/Development for OSSEC
MichelDBD
New Forum User
New Forum User
Posts: 1
Joined: Thu Aug 18, 2022 5:23 am

/var/ossec/queue/diff remains empty

Unread post by MichelDBD »

Hi,

I’m having an issue with a local rule to detect any USB device connected.
I implemented on OSSEC server the following one :

<rule id="100101" level="7">
<if_sid>530</if_sid>
<frequency>10</frequency>
<match>ossec: output: 'reg QUERY</match>
<check_diff />
<description>USB device connected</description>
</rule>

After that, I wrote these lines on agent ossec.conf file :

<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum</command>
</localfile>

I restarted OSSEC and the host but /var/ossec/queue/diff remains empty.
The connexion between my host and the server is working, because I receive logon and other notifications.
There is no specific error message in ossec.log (on agent file, I even read the message « ossec-logcollector: INFO: Monitoring full output of command(10): reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum ») or /var/ossec/logs/ossec.log.

Does anyone have an idea about this issue ?

Cheers!
Post Reply