C:\Program Files (x86)\ossec-agentDouble-click win32ui.
(Note: the Start menu no longer works on Windows Server 2016. This is a feature, not a bug.)
But for this project, we want it to respond quickly.
On the Windows server, in File Explorer, navigate to:
C:\Program Files (x86)\ossec-agent
Right-click internal_options and click Open, as shown below.
Open the file in Notepad.
Change syscheck_sleep from its default value of 2 to 0, as shown below.
In Notepad, click File, Save.
Close Notepad.
Click the Refresh button.
The Status should be "Running", as shown below.
An "ossec - Notepad" window opens. Scroll to the bottom. You should see the message "Starting syscheck real-time monitoring", as shown below.
In Notepad, click File, Save.
Close Notepad.
Scroll down to the "<!-- Windows registry entries to monitor. -->" line. A few lines above it, observe the line shown below.
This line tells OSSEC to monitor the Run key in realtime.
Close Notepad.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Right-click an empty portion of the window and click New, "Text Document", as shown above.
Type a filename of YOURNAME, replacing "YOURNAME" with your own name. Then press Enter.
A file appears with your name on it, as shown below.
In the second line, click "FILE INTEGRITY".
At the top right, click DISCOVER.
At the bottom of the page, there should be an alert containing your name, as shown below.
Troubleshooting
If you see no results, try changing the time interval.At the top right, click the time range, which may say "Last 15 minutes" or some other time range, as shown below.
On the next page, at the top right, click Quick. Click "This week", as shown below.
Capture a whole-desktop image.
Save the image with the filename "Your Name Proj 6xa". Use your real name, not the literal text "Your Name".
YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!
On the Windows server desktop, click the Start button and type REGEDIT
In the search results, click regedit.
In the left pane of Registry Editor, navigate to this key, as shown below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the left pane, click Run to select it.
In the right pane, right-click an empty portion of the window and click New, "String Value", as shown above.
Type a name of YOURNAME, replacing "YOURNAME" with your own name. Then press Enter.
A value appears with your name on it, as shown below.
Double-click the YOURNAME value. Enter some text into the "Value data:" box, as shown below.
Click OK.
To save time, we'll restart the agent, triggering an immediate update.
In "Wazah Agent Manager", from the menu bar, click Manage, Stop. Click OK.
Click Manage, Start. Click OK.
Click the Refresh button.
The Status should be "Running", as shown below.
In the second line, click GENERAL.
At the top right, click DISCOVER.
At the top left, in the search bar, type
Run
and press Enter.
At the bottom of the page, there should be an alert containing the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run , as shown below.
Capture a whole-desktop image.
Save the image with the filename "Your Name Proj 6xb". Use your real name, not the literal text "Your Name".
YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!
Posted 12-26-17 by Sam Bowne
Revised extensively 12-30-17