Hi Dan, Yes, it crashes after that error. I get a pop up on the Windows machine stating something along the lines of "OSSEC has detected an error and has failed to start". After that error in ossec.log, the program "crashes" and i don't see it connected on the server too. Seems this behavior is common across all Win2k. Any ideas?
Thanks! George On Jul 22, 10:35 pm, Daniel Cid <[email protected]> wrote: > It shouldn't cause any issues to the agent, besides the warning. Is it > crashing after that error? > > Thanks, > > On Fri, Jul 22, 2011 at 7:11 AM, GeorgeY <[email protected]> wrote: > > Hi, > > > I enabled USB auditing using the guide displayed in the following > > link: > >http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#de... > > > It seems to be working well. However, I noticed one thing on Win2k > > based machines... > > The OSSEC service fails to start when it is enabled... > > Here is what is shown in the ossec.log on the Win2k machine > > > ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM > > \CurrentControlSetEnum\USBSTOR'. > > > I am guessing Win2k machines do not have this key. However, is there a > > way to make it ignore if the key doesn't exist so that the OSSEC > > service can continue to start? > > > Or do I need to specify another class of OS type in my agent.conf? > > i.e. <agent_config os="Windows 2000"> > > > Thanks in advance. > > George
