This will be my last email in this thread. I'm not interested in trying to help someone who is making that task as difficult as possible. You are unwilling to troubleshoot or apply any thought to the problem, or help me help you fix the problem.
Good luck! On Tue, Jun 26, 2012 at 2:32 PM, sahil sharma <sharmasahil0...@gmail.com> wrote: > Ok, I guess you are very right. I guess I am a bit confused of terminology, > now getting step by step. > > All I have is : > 1) a central sever: ubuntu virtual machine. > 2)a client : windows > > I want to: > 1)Detect when someone inserts USB into the client system. > ---->I am badly confused where to make changes to implement this. > ----> I have 3 places :- > (1) On client's ossec itself: C/Prog file(x86)>ossec>ossec > config : Seems to be bad option to add instruction at a client which itself > has to be > monitored. So I > guess its wrong and once I add anythig to this file, I am unable to > START/RESTART agent at win. I have answered this. The changes need to be made in the agent's ossec.conf. There should be no confusion at this point. > (2) ossec at server: var/ossec (don't remember exact path). > Adding changing to this, restarting the server I see no USB alert. > > Sorry, but I don't know why its not working, if you say I can attach the > exact files where I have made the changes. > I told you what I would have needed to help you. Hopefully someone else with more patience will be willing to do the job of your administrator. > Would be a great help. > > On Tue, Jun 26, 2012 at 4:02 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> On Jun 26, 2012 6:30 AM, "sahil sharma" <sharmasahil0...@gmail.com> wrote: >> > >> > Hi >> > >> > When I change config at client side, the OSSEC Agent Manager at client's >> > status is always :stopped. >> > I tried re-installing, restarting it numerous times. >> > >> > Please help. >> > >> >> How? You didn't provide the error messages or configuration. Without those >> 2 things all I can do to help is tell you to fix your configuration. >> >> Why are you making this so difficult? >> >> > On Mon, Jun 25, 2012 at 1:40 AM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> >> >> On Jun 24, 2012 3:36 PM, "sahil sharma" <sharmasahil0...@gmail.com> >> >> wrote: >> >> > >> >> > >> >> > >> >> > On Fri, Jun 22, 2012 at 3:58 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >> >> >> >> >> >> On Jun 22, 2012 6:16 AM, "sahil sharma" <sharmasahil0...@gmail.com> >> >> >> wrote: >> >> >> >> >> >> >> >> >> >> >> >> This is for configuration changes, not rules: >> >> >> >> Your choice. If you want to use the agent.conf change it there. >> >> >> >> If you >> >> >> >> have a good change management system, changing the ossec.conf >> >> >> >> might be >> >> >> >> good enough. >> >> >> >> >> >> >> >> The OSSEC server does not use the agent.conf though, so if you're >> >> >> >> setting up something for the OSSEC server it'll have to be in >> >> >> >> that >> >> >> >> system's ossec.conf. >> >> >> >> >> >> >> > >> >> >> > (1) I have added following code to >> >> >> > >var>ossec>etc>shared>agent.conf >> >> >> > >> >> >> >> >> >> As is documented in the full_command documentation, this has to go >> >> >> in the agent's ossec.conf. I apologize, I forgot about this >> >> >> restriction. >> >> > >> >> > >> >> > Please, clarify on this, I have to add the following code in agent's >> >> > ossec.conf i.e I have a win7 agent so I must add it to >> >> > >c>prog_files(x86)>ossec>ossec(config) ???? If yes, then do I need to >> >> > >put >> >> > <agent_config os="Windows"> at start or not? >> >> > >> >> >> >> I guess that's the file. I don't do much with Windows. You do not need >> >> to add thar, since this isn't the agent.conf >> >> >> >> > 1) Do I need to remove this code from >> >> > >var>ossec>etc>shared>agent.conf where I had previously added it? >> >> >> >> There's no good reason to have it there. >> >> >> >> > 2) Changing config at client side gives unusual problem in client's >> >> > ossec agent which then display (check config:warning) when I >> >> > try to start/stop/restart the client ossec agent. >> >> >> >> What did you add? Where did you add it? Cryptically telling me you got >> >> an error doesn't do anyone any good. Maybe you should consult a sysadmin, >> >> or >> >> someone else with technical skills. >> >> >> >> > 3) Whats diff in adding in these two different files? >> >> >> >> >> >> > <agent_config os="Windows"> >> >> >> > >> >> >> > <localfile> >> >> >> > <log_format>full_command</log_format> >> >> >> > <command>reg QUERY >> >> >> > HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR</command> >> >> >> > <alias>usb-check</alias> >> >> >> > </localfile> >> >> >> > >> >> >> > </agent_config> >> >> > >> >> > >> >> >> >> >> >> Regards,Sahil. >> >> > >> >> > >> > >> > > >
