> > > ossec.conf or agent.conf depending on how you want to do it. I'll make > sure this is mentioned earlier in the documentation. > > I am working on ubuntu server and I have a window client. I want to get log whenever someone inserts USB to the client system. When do we use ossec.conf OR agent.conf to add new definitions? How choose between them?
> > And you've restarted the agent's ossec processes? > > Yes, after adding the code, I restarted the server -restart and also the client ossec agent. I checked, ossec.agent with the added rule was pushed automatically. Then, I inserted USB into the windows client. But there was no LOG for USB detection or no such message in the Web Interface. Though web interface was showing alerts whenever I logged-in s successfully to the windows client (it shows they are connected propely). > > (2)Added following to the local rules: > > > > <rule id="140125" level="7"> > > <if_sid>530</if_sid> > > <match>ossec: output: 'reg QUERY</match> > > <check_diff /> > > <description>New USB device connected</description> > > </rule> > > > > > > Main problem: I got no GROUP NAME for this rule so I added this rule > inside > > the predefined group > > <group name="local,syslog,">. Is it right thing to do? > > Did you try it without putting it inside of those group tags? > Yes, it's fine. > > > OR i need to place it somewhere else in this file. Please help. > > > > Kindly tell if I need to make any other change too. > > > > Yes I tried it putting outside them, It gives ERROR when I put the -restart command in the terminal. I thought, it was due to missing group name, then I gave it an arbitrary group name > > > <group name="USB"> <rule id="140125" level="7"> > <if_sid>530</if_sid> > <match>ossec: output: 'reg QUERY</match> > <check_diff /> > <description>New USB device connected</description> > </rule> ></group> Then there was no error, but again no such event was detected even after the restart. Please help.
