Hi Dan/all, Anyone face the same issue and any resolution tips?
Thanks, George On Jul 25, 10:38 am, GeorgeY <[email protected]> wrote: > Hi Dan, > > Yes, it crashes after that error. I get a pop up on the Windows > machine stating something along the lines of "OSSEC has detected an > error and has failed to start". After that error in ossec.log, the > program "crashes" and i don't see it connected on the server too. > Seems this behavior is common across all Win2k. Any ideas? > > Thanks! > George > > On Jul 22, 10:35 pm, Daniel Cid <[email protected]> wrote: > > > It shouldn't cause any issues to the agent, besides the warning. Is it > > crashing after that error? > > > Thanks, > > > On Fri, Jul 22, 2011 at 7:11 AM, GeorgeY <[email protected]> wrote: > > > Hi, > > > > I enabled USB auditing using the guide displayed in the following > > > link: > > >http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#de... > > > > It seems to be working well. However, I noticed one thing on Win2k > > > based machines... > > > The OSSEC service fails to start when it is enabled... > > > Here is what is shown in the ossec.log on the Win2k machine > > > > ossec-agent: ERROR: Unable to execute command: 'reg QUERY HKLM\SYSTEM > > > \CurrentControlSetEnum\USBSTOR'. > > > > I am guessing Win2k machines do not have this key. However, is there a > > > way to make it ignore if the key doesn't exist so that the OSSEC > > > service can continue to start? > > > > Or do I need to specify another class of OS type in my agent.conf? > > > i.e. <agent_config os="Windows 2000"> > > > > Thanks in advance. > > > George
