I am new to OSSEC. I have been working through the OSSEC HIDS Guide book to
learn enough to demonstrate its capabilities to my management.I have a
couple of questions regarding the Window's Agent to Linux Manager
communication.
*Question 1: *Is there a place where I can see the events generated by the
Agent on the Manager side?
- The reason for this question is that the ossec.log file shows
entries that I can't prove show up as events to the manager. Like the
following log:
"2013/08/07 10:10:23 ossec-agent: WARN: Error opening
directory: 'C:\boot.ini': No such file or directory"
When I run the ossec-logtest with the above log entry, rule 1002
fires because of the word "Error":
**Phase 3: Completed filtering (rules).
Rule id: '1002'
Level: '2'
Description: 'Unknown problem somewhere in the system.'
**Alert to be generated.
But when the ossec service is running and I receive this log entry on the
Agent's side, the alert is not generated on the manager. So, does every
error type log entry on the agent side show up on the manager side? The
event doesn't seem to appear in the managers ossec.log file. Is there a way
to verify that the event made it to the manager?
*Question 2: *I am trying to create a simple demo showing:
1. How a file added to Window's system32 directory would
generate an alert
2. How modifying an existing or adding a new Registry key
would generate an alert
I am not having much luck with either task. I have tried my hand at writing
decoders and rules. Apparently, I don't fully understand the process. Am I
going about this all wrong? Is there an easier way to demonstrate Ossec's
ability to alert for added or changed system files or registry items? I
want to generate alerts by doing something harmless to my PC. I don't want
to load a virus onto my desktop. Any help would be appreciated.
Thank you
Doug
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
