Hey guys, Sorry in advance - this might be slightly out of reach for OSSEC (or not!). I was wondering if there might be a way for OSSEC to record *every* event a domain or enterprise admin user takes. Of course, if there's not an inherent way in OSSEC, any ideas/recommendations on software that could be used in conjunction [or not] with OSSEC? I've come across tools like ObserveIT, Enterprise Adminguard, etc but nothing FREE :) I know this is partially doable via Windows audit logging but the extent of the trail ends at the application or program that was run by the user(s). I'd want to be able to see what the admin did inside a certain app. Of course, this probably would get into specific application logging, which opens another can of worms.
Just wanted to see if there's a way to collectively do it all and if there's a free tool out there that could accomplish this (if OSSEC cannot). Essentially, it would be very much like a keylogger ;) Thanks all!
