Can anyone help me with how to configure ossec.conf in windows agent so that we can add a file or directory to be monitor.
for e.g: I want to monitor all the changes in the E drive.
i tried this,using this syntax <directories check_all="yes">E:\.</directories> but no-luck.
Thanks much.
How to configure ossec.conf in windows agent for directory/file monitoring
Re: How to configure ossec.conf in windows agent for directory/file monitoring
<directories check_all="yes">E:\.</directories>
The \ should be a / so can you give that a try please?
<directories check all="yes">e:/<directories>
The \ should be a / so can you give that a try please?
<directories check all="yes">e:/<directories>
Re: How to configure ossec.conf in windows agent for directory/file monitoring
Hi, Cponton,
I tried the suggested syntax still, not working. It not even showing the changes for the default directory, not sure but It only shows the changes for the REGISTRY like below only.
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config
I tried the suggested syntax still, not working. It not even showing the changes for the default directory, not sure but It only shows the changes for the REGISTRY like below only.
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\Config
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: How to configure ossec.conf in windows agent for directory/file monitoring
Whats your process for testing the agent?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: How to configure ossec.conf in windows agent for directory/file monitoring
Hi Mikeshinn,
For testing the agent in the windows machine, I tried to change the content of the file(which is added for the monitoring) by writing into it or deleting some content from it.
It is working fine in the Linux-based machine.
Mikeshinn, It is very helpful, if you can tell us, is this(file/directory monitoring) feature supported by the Windows OSSEC agent ??
For testing the agent in the windows machine, I tried to change the content of the file(which is added for the monitoring) by writing into it or deleting some content from it.
It is working fine in the Linux-based machine.
Mikeshinn, It is very helpful, if you can tell us, is this(file/directory monitoring) feature supported by the Windows OSSEC agent ??
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: How to configure ossec.conf in windows agent for directory/file monitoring
Yeah, works just fine on Windows, will detect and report changes in real time on windows for files and registries