Hello Christopher, Thanks for the quick answer :) Unfortunately I did see this decoder but it doesn't do what I would like: extracting the filename and the editor's name (it can't because of the multiple line log it seems).
I'll keep you informed if I find a solution. Regards, Alex. On Jul 12, 8:52 pm, Christopher Moraes <[email protected]> wrote: > Hello Alex, > > Michael Starks has written a comprehensive decoder for auditd. See this > linkhttp://groups.google.com/group/ossec-list/browse_thread/thread/861e5b... > > Hope it helps. > > Regards, > Chris > > > > > > > > On Tue, Jul 12, 2011 at 12:05 PM, Alex.B <[email protected]> wrote: > > Hello everybody, > > > I'm quite new to ossec so I hope I didn't miss the solution while > > searching for it. > > > My question is in the title, is it possible for OSSEC, when he alerts > > for a file modification, to tell which user made it? > > > My first thought was: no. > > > So I thought about using auditd but the logformat is just a mess, I > > get informations about the modification on 3 different lines and get > > uids instead of real usernames: > > > type=SYSCALL msg=audit(1310482288.083:28): arch=40000003 syscall=5 > > success=yes exit=3 a0=8443608 a1=8241 a2=1ff a3=0 items=1 ppid=30262 > > pid=24904 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 > > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 > > comm="vim" exe="/usr/bin/vim.basic" key="test" > > type=CWD msg=audit(1310482288.083:28): cwd="/home/ablanchard" > > type=PATH msg=audit(1310482288.083:28): item=0 name="test_audit.txt" > > inode=4719748 dev=08:01 mode=0100777 ouid=1000 ogid=1000 rdev=00:00 > > > As you can see, we can find UID of the user modifying the file in the > > first line and the actual file on the third line... > > > Does anybody have any lead or even a solution to my problem? > > > Thank you! > > > Alex.
