I don't see in the first message where it says the file was changed. What am I missing? (I haven't looked into auditd's format.) The third message has the user id, group id, and file name. You should be able to work something out with that.
On Wed, Jul 13, 2011 at 4:04 AM, Alex.B <[email protected]> wrote: > Hello Christopher, > > Thanks for the quick answer :) > Unfortunately I did see this decoder but it doesn't do what I would > like: extracting the filename and the editor's name (it can't because > of the multiple line log it seems). > > I'll keep you informed if I find a solution. > > Regards, > Alex. > > On Jul 12, 8:52 pm, Christopher Moraes <[email protected]> wrote: >> Hello Alex, >> >> Michael Starks has written a comprehensive decoder for auditd. See this >> linkhttp://groups.google.com/group/ossec-list/browse_thread/thread/861e5b... >> >> Hope it helps. >> >> Regards, >> Chris >> >> >> >> >> >> >> >> On Tue, Jul 12, 2011 at 12:05 PM, Alex.B <[email protected]> wrote: >> > Hello everybody, >> >> > I'm quite new to ossec so I hope I didn't miss the solution while >> > searching for it. >> >> > My question is in the title, is it possible for OSSEC, when he alerts >> > for a file modification, to tell which user made it? >> >> > My first thought was: no. >> >> > So I thought about using auditd but the logformat is just a mess, I >> > get informations about the modification on 3 different lines and get >> > uids instead of real usernames: >> >> > type=SYSCALL msg=audit(1310482288.083:28): arch=40000003 syscall=5 >> > success=yes exit=3 a0=8443608 a1=8241 a2=1ff a3=0 items=1 ppid=30262 >> > pid=24904 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 >> > fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=4294967295 >> > comm="vim" exe="/usr/bin/vim.basic" key="test" >> > type=CWD msg=audit(1310482288.083:28): cwd="/home/ablanchard" >> > type=PATH msg=audit(1310482288.083:28): item=0 name="test_audit.txt" >> > inode=4719748 dev=08:01 mode=0100777 ouid=1000 ogid=1000 rdev=00:00 >> >> > As you can see, we can find UID of the user modifying the file in the >> > first line and the actual file on the third line... >> >> > Does anybody have any lead or even a solution to my problem? >> >> > Thank you! >> >> > Alex.
