Sorry but this code don't works for me :( > <rule id="100345" level="0"> > <if_sid>18101</if_sid> > <id>^560$</id> > <description>Windows succes audit event.</description> > </rule> >
I put this rule in msauth and don't work. I can get in server, but I can't in ossec-server > With that, you can make specific rules to match on a user, program > name, agent, etc. For example: > > <rule id="100345" level="0"> > <if_sid>18101</if_sid> > <id>^560$</id> > <match>Object Name: F:\foo\path\index.html</match> > <description>Index.html opened.</description> > </rule> > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > -- Rafael Brito Gomes Projeto UFBA LPIC-1 CPM Braxis Tel : +55 71 3283 6102 http://www.cpmbraxis.com
