{"id":341,"date":"2007-01-02T04:19:00","date_gmt":"2007-01-02T04:19:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=341"},"modified":"2020-07-03T04:20:25","modified_gmt":"2020-07-03T04:20:25","slug":"windows-registry-monitoring-syscheckd","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/01\/windows-registry-monitoring-syscheckd\/","title":{"rendered":"Windows registry monitoring (syscheckd)"},"content":{"rendered":"\n<p>I just completed adding support for monitoring the Windows registry on&nbsp;<a href=\"http:\/\/www.ossec.net\/\">ossec<\/a>. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required).<\/p>\n\n\n\n<p>The configuration will have the following options available: (inside the&nbsp;<em>syscheck<\/em>&nbsp;area):<\/p>\n\n\n\n<p><em>&lt;windows_registry&gt;HKEY_LOCAL_MACHINE&lt;\/windows_registry&gt; &lt;registry_ignore&gt;HKEY_LOCAL_MACHINESoftwareMicrosoft&lt;registry_ignore&gt;<\/em><\/p>\n\n\n\n<p>Where the first option is a list (comma separated) of registry entries to monitor and the second is a list of entries to ignore.<\/p>\n\n\n\n<p>A question now for the Windows users out there:Which registry entries should we monitor by default?<\/p>\n\n\n\n<p>I was thinking on everything at HKEY_LOCAL_MACHINESYSTEM, HKEY_LOCAL_MACHINESECURITY and HKEY_LOCAL_MACHINESAM. Is there anything else worth checking too?<br>Comments are more than welcome..<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I just completed adding support for monitoring the Windows registry on&nbsp;ossec. It seems to be fairly stable right now and hopefully a beta version will be available soon (lots of tests will be required). The configuration will have the following options available: (inside the&nbsp;syscheck&nbsp;area): &lt;windows_registry&gt;HKEY_LOCAL_MACHINE&lt;\/windows_registry&gt; &lt;registry_ignore&gt;HKEY_LOCAL_MACHINESoftwareMicrosoft&lt;registry_ignore&gt; Where the first option is a list (comma separated) [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[11],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/341"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/341\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}