Do I need to activate audit files in event viewer only??
On Wed, Apr 18, 2012 at 4:01 PM, dan (ddp) <[email protected]> wrote: > Ok? > > On Wed, Apr 18, 2012 at 9:30 AM, C. L. Martinez <[email protected]> wrote: >> I am using windows osec agent on the windows server side .... >> >> >> On Wed, Apr 18, 2012 at 3:27 PM, dan (ddp) <[email protected]> wrote: >>> The <localfile> option is for monitoring the contents of a log file. >>> How would OSSEC find out about who accesses a file if there are no >>> logs telling it that information? (assuming there are no kernel hooks >>> or anything to grab that info "off the wire") >>> >>> On Wed, Apr 18, 2012 at 9:07 AM, C. L. Martinez <[email protected]> >>> wrote: >>>> Uhmm I see .. But can monitor these access using <localfile> directive >>>> in agent.conf?? >>>> >>>> On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) <[email protected]> wrote: >>>>> It all depends on the log message. >>>>> >>>>> On Wed, Apr 18, 2012 at 8:54 AM, C. L. Martinez <[email protected]> >>>>> wrote: >>>>>> Still I haven't access log ... If I use unc instead of c:\dir\file?? >>>>>> like this: \\server1\dir\file ... >>>>>> >>>>>> Exists another option to monitor/control access to a files and dirs in >>>>>> a Windows servers using OSSEC? >>>>>> >>>>>> >>>>>> On Wed, Apr 18, 2012 at 2:42 PM, dan (ddp) <[email protected]> wrote: >>>>>>> Is the access attempt logged? Do you have a log sample for user3 >>>>>>> trying to access c:\temp\somedir? >>>>>>> >>>>>>> Also, I think the : in c: might mess with the cdb list... >>>>>>> >>>>>>> On Wed, Apr 18, 2012 at 8:38 AM, C. L. Martinez <[email protected]> >>>>>>> wrote: >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Is it possible to monitor files and directories using cdb lists when >>>>>>>> a user tries to access?? For example: user1 has access to dir >>>>>>>> c:\temp\somedir and user2 has access to c:\somdir\somefile.txt. If it >>>>>>>> is possible to trigger and alert if user3 tries to access to >>>>>>>> c:\temp\somedir or c:\somdir\somefile.txt using a cdb list like this: >>>>>>>> >>>>>>>> c:\temp\somedir:user1 >>>>>>>> c:\somdir\somefile.txt:user2 >>>>>>>> d:\anotherdir:user1,user2 >>>>>>>> >>>>>>>> ?? >>>>>>>> >>>>>>>> Thanks.
