I think I just saw the answer in the audisp-prelude man page:
...
-w /etc/shadow -p wa
and you want idmef alerts on this, you need to add -k
ids-file-med or something appropriate to signal to the plugin
that this message is for it.
...
LCB.
On Mon, 2008-08-25 at 15:20 -0500, LC Bruzenak wrote:
> I don't think file watch events are reported to prelude...right?
>
> Thx,
> LCB.
>
--
LC (Lenny) Bruzenak
[EMAIL PROTECTED]
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
