Hi Rafael,
OSSEC by default will alert on the audit failure 560 events, but not
on the success ones. If you want
alert on them, add the following local rule:
<rule id="100345" level="0">
<if_sid>18101</if_sid>
<id>^560$</id>
<description>Windows succes audit event.</description>
</rule>
With that, you can make specific rules to match on a user, program
name, agent, etc. For example:
<rule id="100345" level="0">
<if_sid>18101</if_sid>
<id>^560$</id>
<match>Object Name: F:\foo\path\index.html</match>
<description>Index.html opened.</description>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Thu, Jul 23, 2009 at 7:37 AM, Rafael Gomes<[email protected]> wrote:
>
> In my case, I just wanna get this log in ossec server:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 7/20/2009
> Time: 4:54:04 PM
> User: UFBA\user1
> Computer: server1
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: F:\foo\path\index.html
> Handle ID: 51652
> Operation ID: {0,2956632565}
> Process ID: 4
> Image File Name:
> Primary User Name: server1$
> Primary Domain: DOMAIN1
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: user1
> Client Domain: DOMAIN1
> Client Logon ID: (0x0,0xB0216AFA)
> Accesses: DELETE
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x10080
>
>
> I already get others logs from this server, but I think that there isn't
> any decoder or rule to handle this type of log in my ossec server.
>
> Thank you.
>
> --
> Rafael Brito Gomes
> Projeto UFBA
> LPIC-1
> CPM Braxis
> Tel : +55 71 3283 6102
> http://www.cpmbraxis.com
>
