Hi all, I have configured the win_audit_rcl.txt file on my Windows agent to detect USB drive as per this URL : https://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ . It is working as expected. I can see the message "USB Drive detected" make it to the archive.log file on the OSSEC server.
What do i need to do next to make this msg display as an ALERT in the Web UI ? Do we have to create a local_decoder.xml file or do we have to create a rule in local_rules.xml file ? I am currently using Security Onion which has OSSEC server preinstalled. Likewise, similarly i am also getting some windows events forwarded from the "Power Shell" event group in Windows Event Viewer. I can see these events make it to the OSSEC server but i need them to show as an ALERT in the web ui. Won't the prebuilt windows related rules/decoders that come along with OSSEC. Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
