This has worked for me
C: \ Windows \ System32 \ cmd.exe
Typically I stand up a basic windows syscheck like this
<agent_config>
<syscheck>
<auto_ignore>no</auto_ignore>
<alert_new_files>yes</alert_new_files>
<scan_on_start>yes</scan_on_start>
<directories realtime="yes" check_all="yes">c:\windows\system32</
directories>
<directories realtime="yes" check_all="yes">c:\windows\syswow64</
directories>
</syscheck>
</agent_config>
Hope that helps sir
On Friday, January 16, 2015 at 8:45:08 AM UTC-5, alex petrov wrote:
>
> Hello. Please tell me how out of the way to get the file name of the file.
> Example C: \ Windows \ System32 \ cmd.exe or C: \ Windows \ System32 \ .. \
> .. \ .. \ ... cmd.exe need cmd.ehe
>
> ossec not support grouping regular expressions?
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
