On Jun 22, 2012 6:16 AM, "sahil sharma" <sharmasahil0...@gmail.com> wrote: >> >> >> This is for configuration changes, not rules: >> Your choice. If you want to use the agent.conf change it there. If you >> have a good change management system, changing the ossec.conf might be >> good enough. >> >> The OSSEC server does not use the agent.conf though, so if you're >> setting up something for the OSSEC server it'll have to be in that >> system's ossec.conf. >> > > (1) I have added following code to >var>ossec>etc>shared>agent.conf >
As is documented in the full_command documentation, this has to go in the agent's ossec.conf. I apologize, I forgot about this restriction. > <agent_config os="Windows"> > > <localfile> > <log_format>full_command</log_format> > <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> > <alias>usb-check</alias> > </localfile> > > </agent_config> > > (2) Created following rule in >var>ossec>rules>local_rules.xml : > > <rule id="140125" level="7"> > > <if_sid>530</if_sid> > <match>ossec: output: 'usb-check':</match> > <check_diff /> > <description>New USB device connected</description> > > </rule> > > Resouce:-http://www.ossec.net/doc/faq/alerts.html (nothing here has been clearly mentioned hat where we have to make the changes actually. Please update) > The documentation about full_command mentions ossec.conf. I don't think this needs to be repeated. > >> >> The rule won't be pushed to the agents. The >> /var/ossec/etc/shared/agent.conf will be. Make sure that file is up to >> date on the agent (if it's Windows it's probably c:\program >> files\ossec\shared\agent.conf or something). >> >> >> >> Do you have email alerts enabled? I not, check the alerts.log file on >> the server. I don't trust the WUI. >> > > /var/ossec/etc/shared/agent.conf has been correctly pushed to windows client. Both > client and server has total 12 files(after adding above 2 changes) in /var/ossec/etc/shared/ > folder and contents are same too. Hence, they are update. No problems in that. > > No, I don't have email alerts enabled. Checked the alerts.log file, its same as WUI, (only > logon success alerts are being displayed). > > Though few problems I am getting in ossec.log: > WARN: Message from x.x.x.x. not allowed. > ERROR: Error executing query 'INSERT INTO data(id,......) > ERROR: Connecting to database 'localhost' > > > Regards > Sahil.