You should discuss this with your system administrator. I'm guessing file/directory access isn't logged by default on Windows, so I guess you would have to turn that on somewhere. Someone technical and windows proficient should be able to help you.
On Wed, Apr 18, 2012 at 10:20 AM, C. L. Martinez <[email protected]> wrote: > Do I need to activate audit files in event viewer only?? > > On Wed, Apr 18, 2012 at 4:01 PM, dan (ddp) <[email protected]> wrote: >> Ok? >> >> On Wed, Apr 18, 2012 at 9:30 AM, C. L. Martinez <[email protected]> wrote: >>> I am using windows osec agent on the windows server side .... >>> >>> >>> On Wed, Apr 18, 2012 at 3:27 PM, dan (ddp) <[email protected]> wrote: >>>> The <localfile> option is for monitoring the contents of a log file. >>>> How would OSSEC find out about who accesses a file if there are no >>>> logs telling it that information? (assuming there are no kernel hooks >>>> or anything to grab that info "off the wire") >>>> >>>> On Wed, Apr 18, 2012 at 9:07 AM, C. L. Martinez <[email protected]> >>>> wrote: >>>>> Uhmm I see .. But can monitor these access using <localfile> directive >>>>> in agent.conf?? >>>>> >>>>> On Wed, Apr 18, 2012 at 2:58 PM, dan (ddp) <[email protected]> wrote: >>>>>> It all depends on the log message. >>>>>> >>>>>> On Wed, Apr 18, 2012 at 8:54 AM, C. L. Martinez <[email protected]> >>>>>> wrote: >>>>>>> Still I haven't access log ... If I use unc instead of c:\dir\file?? >>>>>>> like this: \\server1\dir\file ... >>>>>>> >>>>>>> Exists another option to monitor/control access to a files and dirs in >>>>>>> a Windows servers using OSSEC? >>>>>>> >>>>>>> >>>>>>> On Wed, Apr 18, 2012 at 2:42 PM, dan (ddp) <[email protected]> wrote: >>>>>>>> Is the access attempt logged? Do you have a log sample for user3 >>>>>>>> trying to access c:\temp\somedir? >>>>>>>> >>>>>>>> Also, I think the : in c: might mess with the cdb list... >>>>>>>> >>>>>>>> On Wed, Apr 18, 2012 at 8:38 AM, C. L. Martinez <[email protected]> >>>>>>>> wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> Is it possible to monitor files and directories using cdb lists when >>>>>>>>> a user tries to access?? For example: user1 has access to dir >>>>>>>>> c:\temp\somedir and user2 has access to c:\somdir\somefile.txt. If it >>>>>>>>> is possible to trigger and alert if user3 tries to access to >>>>>>>>> c:\temp\somedir or c:\somdir\somefile.txt using a cdb list like this: >>>>>>>>> >>>>>>>>> c:\temp\somedir:user1 >>>>>>>>> c:\somdir\somefile.txt:user2 >>>>>>>>> d:\anotherdir:user1,user2 >>>>>>>>> >>>>>>>>> ?? >>>>>>>>> >>>>>>>>> Thanks.
