1 <!-- OSSEC-HIDS Win32 Agent Configuration.
2 - This file is composed of 3 main sections:
3 - - Client config - Settings to connect to the OSSEC server
4 - - Localfile - Files/Event logs to monitor
5 - - syscheck - System file/Registry entries to monitor
8 <!-- READ ME FIRST. If you are configuring OSSEC-HIDS for the first time,
9 - try to use the "Manage_Agent" tool. Go to Control Panel->OSSEC Agent
12 - First, add a server-ip entry with the real IP of your server.
13 - Second, and optionally, change the settings of the files you want
14 - to monitor. Look at our Manual and FAQ for more information.
15 - Third, start the Agent and enjoy.
17 - Example of server-ip:
18 - <client> <server-ip>1.2.3.4</server-ip> </client>
23 <!-- One entry for each file/Event log to monitor. -->
25 <location>Application</location>
26 <log_format>eventlog</log_format>
30 <location>Security</location>
31 <log_format>eventlog</log_format>
35 <location>System</location>
36 <log_format>eventlog</log_format>
40 <location>Windows PowerShell</location>
41 <log_format>eventlog</log_format>
44 <!-- Rootcheck - Policy monitor config -->
46 <windows_audit>./shared/win_audit_rcl.txt</windows_audit>
47 <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
48 <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
51 <!-- Syscheck - Integrity Checking config. -->
54 <!-- Default frequency, every 20 hours. It doesn't need to be higher
55 - on most systems and one a day should be enough.
57 <frequency>72000</frequency>
59 <!-- By default it is disabled. In the Install you must choose
62 <disabled>yes</disabled>
64 <!-- Default files to be monitored - system32 only. -->
65 <directories check_all="yes">%WINDIR%/win.ini</directories>
66 <directories check_all="yes">%WINDIR%/system.ini</directories>
67 <directories check_all="yes">C:\autoexec.bat</directories>
68 <directories check_all="yes">C:\config.sys</directories>
69 <directories check_all="yes">C:\boot.ini</directories>
71 <directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
72 <directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
73 <directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
74 <directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
75 <directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
76 <directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
77 <directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
78 <directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
79 <directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
80 <directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
81 <directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
82 <directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
83 <directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
84 <directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
85 <directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
86 <directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
87 <directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
88 <directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
89 <directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
90 <directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
91 <directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
92 <directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>
94 <directories check_all="yes">%WINDIR%/System32/CONFIG.NT</directories>
95 <directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</directories>
96 <directories check_all="yes">%WINDIR%/System32/at.exe</directories>
97 <directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
98 <directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
99 <directories check_all="yes">%WINDIR%/System32/debug.exe</directories>
100 <directories check_all="yes">%WINDIR%/System32/drwatson.exe</directories>
101 <directories check_all="yes">%WINDIR%/System32/drwtsn32.exe</directories>
102 <directories check_all="yes">%WINDIR%/System32/edlin.exe</directories>
103 <directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
104 <directories check_all="yes">%WINDIR%/System32/eventtriggers.exe</directories>
105 <directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
106 <directories check_all="yes">%WINDIR%/System32/net.exe</directories>
107 <directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
108 <directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
109 <directories check_all="yes">%WINDIR%/System32/rcp.exe</directories>
110 <directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
111 <directories check_all="yes">%WINDIR%/regedit.exe</directories>
112 <directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
113 <directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
114 <directories check_all="yes">%WINDIR%/System32/rexec.exe</directories>
115 <directories check_all="yes">%WINDIR%/System32/rsh.exe</directories>
116 <directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
117 <directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
118 <directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
119 <directories check_all="yes">%WINDIR%/System32/telnet.exe</directories>
120 <directories check_all="yes">%WINDIR%/System32/tftp.exe</directories>
121 <directories check_all="yes">%WINDIR%/System32/tlntsvr.exe</directories>
122 <directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
123 <directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
124 <directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
125 <directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>
127 <directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>
129 <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
131 <!-- Windows registry entries to monitor. -->
132 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
133 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
134 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
135 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
136 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
137 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
138 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
139 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
140 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
141 <windows_registry>HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
142 <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
143 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
145 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
146 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
147 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
149 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
150 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
151 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
152 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
153 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
154 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
155 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
157 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
159 <!-- Windows registry entries to ignore. -->
160 <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
161 <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
162 <registry_ignore type="sregex">\Enum$</registry_ignore>
166 <disabled>yes</disabled>
171 <!-- END of Default Configuration. -->