I am using windows osec agent on the windows server side ....
On Wed, Apr 18, 2012 at 3:27 PM, dan (ddp) <[email protected]> wrote: > The <localfile> option is for monitoring the contents of a log file. > How would OSSEC find out about who accesses a file if there are no > logs telling it that information? (assuming there are no kernel hooks > or anything to grab that info "off the wire") > > On Wed, Apr 18, 2012 at 9:07 AM, C. L. Martinez <[email protected]> wrote: >> Uhmm I see .. But can monitor these access using <localfile> directive >> in agent.conf?? >> >> On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) <[email protected]> wrote: >>> It all depends on the log message. >>> >>> On Wed, Apr 18, 2012 at 8:54 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Still I haven't access log ... If I use unc instead of c:\dir\file?? >>>> like this: \\server1\dir\file ... >>>> >>>> Exists another option to monitor/control access to a files and dirs in >>>> a Windows servers using OSSEC? >>>> >>>> >>>> On Wed, Apr 18, 2012 at 2:42 PM, dan (ddp) <[email protected]> wrote: >>>>> Is the access attempt logged? Do you have a log sample for user3 >>>>> trying to access c:\temp\somedir? >>>>> >>>>> Also, I think the : in c: might mess with the cdb list... >>>>> >>>>> On Wed, Apr 18, 2012 at 8:38 AM, C. L. Martinez <[email protected]> >>>>> wrote: >>>>>> Hi all, >>>>>> >>>>>> Is it possible to monitor files and directories using cdb lists when >>>>>> a user tries to access?? For example: user1 has access to dir >>>>>> c:\temp\somedir and user2 has access to c:\somdir\somefile.txt. If it >>>>>> is possible to trigger and alert if user3 tries to access to >>>>>> c:\temp\somedir or c:\somdir\somefile.txt using a cdb list like this: >>>>>> >>>>>> c:\temp\somedir:user1 >>>>>> c:\somdir\somefile.txt:user2 >>>>>> d:\anotherdir:user1,user2 >>>>>> >>>>>> ?? >>>>>> >>>>>> Thanks.
