Hi Christina, Thanks so much for your feedback. And, just so I am clear, I am not looking for the standard output after the sudo command is issued but the whole sudo command line "sudo <linux command> <command parameters>".
Right now, we're experimenting with OSSEC logs going to Kibana. This is working well, but the question I am asked is "what was the sudo command that OSSEC captured *and* who issued the sudo command?". I want to make sure the logs OSSEC is capturing includes these pieces of information that will aide in an auditing. Steve On Thursday, October 5, 2017 at 4:01:06 AM UTC-7, linuxfancy wrote: > > Hi Steve, > > OSSEC monitors logs. Generally the *output* from sudo commands is not > logged. (There is a LOG_OUTPUT option that can be configured in sudoers, > but those logs are generated in a special format that would probably be > hard for OSSEC to parse - since command output might be extensive and > unformatted. The sudoreplay command can be used to play back a logged > session, though.) > > Christina > > Sent from mobile > > On Oct 4, 2017, at 10:10 PM, st...@treasure-data.com <javascript:> wrote: > > Hello, > > My team is evaluating OSSEC and we're looking for a method to capture sudo > commands when OOSEC detects the command has been executed. Is this on > option that is available today to capture output? > > > Note: I did see question/response to this going back to 2010. Since I am > new to OSSEC, I am inquiring to see if answer is still valid. > > If this is not an option, how have those using OSSEC addressed the need > for capturing the commands being issued when running 'sudo' that maybe > needed for one's auditing. > > Thanks > > Steve > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.