The <localfile> option is for monitoring the contents of a log file. How would OSSEC find out about who accesses a file if there are no logs telling it that information? (assuming there are no kernel hooks or anything to grab that info "off the wire")
On Wed, Apr 18, 2012 at 9:07 AM, C. L. Martinez <[email protected]> wrote: > Uhmm I see .. But can monitor these access using <localfile> directive > in agent.conf?? > > On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) <[email protected]> wrote: >> It all depends on the log message. >> >> On Wed, Apr 18, 2012 at 8:54 AM, C. L. Martinez <[email protected]> wrote: >>> Still I haven't access log ... If I use unc instead of c:\dir\file?? >>> like this: \\server1\dir\file ... >>> >>> Exists another option to monitor/control access to a files and dirs in >>> a Windows servers using OSSEC? >>> >>> >>> On Wed, Apr 18, 2012 at 2:42 PM, dan (ddp) <[email protected]> wrote: >>>> Is the access attempt logged? Do you have a log sample for user3 >>>> trying to access c:\temp\somedir? >>>> >>>> Also, I think the : in c: might mess with the cdb list... >>>> >>>> On Wed, Apr 18, 2012 at 8:38 AM, C. L. Martinez <[email protected]> >>>> wrote: >>>>> Hi all, >>>>> >>>>> Is it possible to monitor files and directories using cdb lists when >>>>> a user tries to access?? For example: user1 has access to dir >>>>> c:\temp\somedir and user2 has access to c:\somdir\somefile.txt. If it >>>>> is possible to trigger and alert if user3 tries to access to >>>>> c:\temp\somedir or c:\somdir\somefile.txt using a cdb list like this: >>>>> >>>>> c:\temp\somedir:user1 >>>>> c:\somdir\somefile.txt:user2 >>>>> d:\anotherdir:user1,user2 >>>>> >>>>> ?? >>>>> >>>>> Thanks.
