ossec-hids icon indicating copy to clipboard operation
ossec-hids copied to clipboard

Published 20 hours ago verified publisher icon ossec

/queue/diff remains empty

Open MichelDBD opened this issue 3 years ago • 1 comments

Hi,

I’m having an issue with a local rule to detect any USB device connected. I implemented on OSSEC server the following one :

<rule id="100101" level="7">
    <if_sid>530</if_sid>
    <frequency>10</frequency>
    <match>ossec: output: 'reg QUERY</match>
    <check_diff />
    <description>USB device connected</description>
</rule>

After that, I wrote these lines on agent ossec.conf file :

    <localfile>
        <log_format>full_command</log_format>
        <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum</command>
    </localfile>

I restarted OSSEC and the host but /var/ossec/queue/diff remains empty. The connexion between my host and the server is working, because I receive logon and other notifications. There is no specific error message in ossec.log (on agent file, I even read the message « ossec-logcollector: INFO: Monitoring full output of command(10): reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum ») or /var/ossec/logs/ossec.log.

Does anyone have an idea about this issue ?

Cheers!

MichelDBD avatar Aug 18 '22 07:08 MichelDBD

Hello @MichelDBD check this thread where @ddpbsd mention that you have to track the actual change of value: https://groups.google.com/g/ossec-list/c/1t6dnbzMZzM

libellux avatar Jan 03 '23 21:01 libellux