On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez <[email protected]> wrote: > Thanks Dan. > > I'll try. > > My idea is to register the usern logged on a computer that deletes or > modifies a file (like windows security log). > > maybe some mix between them... >
There's too much of a chance for false positives. Many systems are multi-user these days. I was hoping for a file attribute that possibly tracked the last user to modify the file. > 2012/9/25 dan (ddp) <[email protected]> > >> On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez >> <[email protected]> wrote: >> > OK, >> > thanks. >> > >> >> If you know a good way to get that info, let us know. We can try to >> get it in after 2.7. >> >> > 2012/9/25 dan (ddp) <[email protected]> >> > >> >> F we could magically associate a username with a file modification it >> >> would be the default. >> >> >> >> On Sep 25, 2012 6:08 AM, "Alejandro" <[email protected]> wrote: >> >>> >> >>> Hi. >> >>> >> >>> I'm using ossec to monitor some windows agents on 2003 server. >> >>> >> >>> The server is running centos and saving the information in a mysql >> >>> database. >> >>> >> >>> When I receive a syscheck event from windows (file modified, deleted >> >>> or >> >>> added) the username is empty. >> >>> >> >>> Is it possible to modify some rule to have that username logged on the >> >>> event ? >> >>> >> >>> Thanks a lot. >> > >> > > >
