OSSEC v1.3 will come with support for Windows policy monitoring, allowing you to verify that all your systems conform to a set of policies regarding configuration settings, applications usage, etc. They are configured centrally on the ossec server and pushed down to all your agents.
With the Windows policy monitoring, you can get alerts like the following (detecting Skype and Yahoo):
2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.Application Found: Chat/IM – Yahoo.
2007 Jul 22 17:42:57 Rule Id: 514 level: 2
Location: (winhome) 192.168.2.190->rootcheck
Windows application monitor event.Application Found: Chat/IM/VoIP – Skype.
And compliance alerts like the following:
2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.Windows Audit: Null sessions allowed.
2007 Jul 23 13:44:54 Rule Id: 512 level: 3
Location: (winhome) 192.168.2.190->rootcheck
Windows Audit event.Windows Audit: LM authentication allowed (weak passwords).
Interested? Read more how it works here. You can also try our beta version to help us improve it.