>
>
> This is for configuration changes, not rules:
> Your choice. If you want to use the agent.conf change it there. If you
> have a good change management system, changing the ossec.conf might be
> good enough.
>
> The OSSEC server does not use the agent.conf though, so if you're
> setting up something for the OSSEC server it'll have to be in that
> system's ossec.conf.
>
>
(1) I have added following code to >var>ossec>etc>shared>agent.conf
<agent_config os="Windows">
<localfile>
<log_format>full_command</log_format>
<command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
<alias>usb-check</alias>
</localfile>
</agent_config>
(2) Created following rule in >var>ossec>rules>local_rules.xml :
<rule id="140125" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'usb-check':</match>
<check_diff />
<description>New USB device connected</description>
</rule>
Resouce:-http://www.ossec.net/doc/faq/alerts.html (nothing here has been
clearly mentioned hat where we have to make the changes actually. Please
update)
> The rule won't be pushed to the agents. The
> /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to
> date on the agent (if it's Windows it's probably c:\program
> files\ossec\shared\agent.conf or something).
>
>
>
> Do you have email alerts enabled? I not, check the alerts.log file on
> the server. I don't trust the WUI.
>
>
/var/ossec/etc/shared/agent.conf has been correctly pushed to windows
client. Both
client and server has total 12 files(after adding above 2 changes)
in /var/ossec/etc/shared/
folder and contents are same too. Hence, they are update. No problems in
that.
No, I don't have email alerts enabled. Checked the alerts.log file, its
same as WUI, (only
logon success alerts are being displayed).
Though few problems I am getting in ossec.log:
WARN: Message from x.x.x.x. not allowed.
ERROR: Error executing query 'INSERT INTO data(id,......)
ERROR: Connecting to database 'localhost'
Regards
Sahil.
