On Tue, Feb 14, 2017 at 8:10 AM, amir zargaran <zargaran.a...@gmail.com> wrote: > > Dear All > I want to Monitor the > "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" Path in > Ossec. > Also i add mentioned path to C:\Program_File(x86)\ossec-agent\ossec.conf > file in syscheck location in this. but in the agent log file i see : > > "ERROR: Invalid syscheck registry entry: > 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'." > > Also when i deploy a script executable file for create a value in this > registry_Key i did not see any reaction on OSSEC-Server and I have not any > syscheck registry change log. > > Any Solution? >
Can you provide the configuration you're using for these settings? I would assume the default config of: <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry> would automatically monitor this. But I don't use the windows agent much. > BR > Amir > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.