Or can OSSEC monitor for any changes to Active Directory?
On Sep 22, 3:48 pm, jplee3 <[email protected]> wrote: > Hey guys, > > Sorry in advance - this might be slightly out of reach for OSSEC (or > not!). I was wondering if there might be a way for OSSEC to record > *every* event a domain or enterprise admin user takes. Of course, if > there's not an inherent way in OSSEC, any ideas/recommendations on > software that could be used in conjunction [or not] with OSSEC? I've > come across tools like ObserveIT, Enterprise Adminguard, etc but > nothing FREE :) I know this is partially doable via Windows audit > logging but the extent of the trail ends at the application or program > that was run by the user(s). I'd want to be able to see what the admin > did inside a certain app. Of course, this probably would get into > specific application logging, which opens another can of worms. > > Just wanted to see if there's a way to collectively do it all and if > there's a free tool out there that could accomplish this (if OSSEC > cannot). Essentially, it would be very much like a keylogger ;) > > Thanks all!
