Atomicorp

Can anyone help me with how to configure ossec.conf in windows agent so that we can add a file or directory to be monitor.
for e.g: I want to monitor all the changes in the E drive.

i tried this,using this syntax <directories check_all="yes">E:\.</directories> but no-luck.

Thanks much.

<directories check_all="yes">E:\.</directories>

The \ should be a / so can you give that a try please?

<directories check all="yes">e:/<directories>

Hi, Cponton,

I tried the suggested syntax still, not working. It not even showing the changes for the default directory, not sure but It only shows the changes for the REGISTRY like below only.

+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config

Whats your process for testing the agent?

Hi Mikeshinn,

For testing the agent in the windows machine, I tried to change the content of the file(which is added for the monitoring) by writing into it or deleting some content from it.

It is working fine in the Linux-based machine.

Mikeshinn, It is very helpful, if you can tell us, is this(file/directory monitoring) feature supported by the Windows OSSEC agent ??

Yeah, works just fine on Windows, will detect and report changes in real time on windows for files and registries