Sorry, my initial comment was incorrect. You should specify, as you already did I believe, the C:\Test_TPS path in the ossec.conf that's on your Windows machine. Syscheck generally runs locally to each box so putting that on the Ossec Server (Ubuntu) wouldn't do much. If you want to change the frequency, however, you need to do that on the OSSEC server I believe.
On Wed, Sep 15, 2010 at 2:27 PM, Aamir Niazi <[email protected]> wrote: > Also when I add that particular directory under syscheck in ossec.conf > on the server, how does the server automatically know to check for > that directory on the agent? and what If I had to check one directory > on one agent and another on another agent how do I specify which agent > it should check the directory on? > > Much appreciate your input. > > Thanks > > On Wed, Sep 15, 2010 at 4:33 PM, Jeremy Lee <[email protected]> wrote: > > Hi there, > > > > Welcome! > > > > It sounds like you want to do some integrity checking to notify you of > any > > changes to files in the C:\Test_TPS directory, correct? If so, it should > be > > pretty straightforward. You just need to edit the ossec.conf > > (/var/ossec/etc/ossec.conf is the default path on your OSSEC server) and > add > > the following under the <syscheck> section: > > > > <directories check_all="yes">C:\Test_TPS</directories> > > > > > > > > Hope that helps! > > > > --Jeremy > > > > On Wed, Sep 15, 2010 at 1:22 PM, Aamir Niazi <[email protected]> > wrote: > >> > >> Hello List, My first time writing to this list. > >> > >> I have OSSEC running on Ubuntu 10.4 and have windows client machines. > >> There is not much on the website regarding rules so I purchased the > >> OSSEC book. But I am still confused about how to you custom write > >> rules to monitor specific directories. Lets say if I wanted to monitor > >> C:\Test_TPS folder and files within this directory on the windows > >> machine, what would I have to do in order to make sure that client is > >> configured for this and server is also monitoring this directory for > >> any changes and integrity? If anyone can elaborate a little bit on > >> this I would highly appreciate it. FYI i am a *nix newbie. > >> > >> Thanks a lot in advance. > >> > >> -- > >> Best Regards, > >> > >> Aamir Niazi > > > > > > > > -- > Best Regards, > > Aamir Niazi > Senior Security Analyst >
