Thank you David. I had only been looking at the alerts.log and archives.log for feedback. It didn't occur to me that there were other great tools to replace what I was doing by hand. Also I will try out your suggestion from question 2. Thanks again for the feedback.
Doug On Tuesday, August 13, 2013 9:11:48 AM UTC-7, David Blanton wrote: > > Hi Doug, > > >*Question 1: *Is there a place where I can see the events generated by > the Agent on the Manager side? > > - The reason for this question is that the ossec.log file shows > entries that I can't prove show up as events to the manager. Like the > following log: > > If this is for demonstration purposes, I would look into using the OSSEC > Web UI. It's a great place to start to show a more holistic view of events > on the network. > OSSIM and Splunk are great as well. They have the ability to do custom > search queries, generate graphs based on network data, and can partition > servers, events, and data > based on 'dashboards'. As Michael said, logall would be the best option > for you right now. > > >*Question 2: *I am trying to create a simple demo showing: > > 1. How a file added to Window's system32 directory > would generate an alert > > 2. How modifying an existing or adding a new Registry > key would generate an alert > > I am not too familiar with Windows, but you could always write a decoder, > and rule to alert this rule. Try using the <localfile> within the > ossec.conf (or equivalent) file on the Windows agent. > Monitor the file(s) which registries are logged. You can have several > <localfile> tags to cover all your paths. Look into writing a decoder that > will parse through the registries and a rule that > will fire an alert when it happens. If you can give me the log I would be > more than happy to help you (give it my best shot). > > The syscheck and directories check does have a report_changes and > real_time, however, report_changes is only available to Unix/Linux-like OS. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
