You'd have to write a decoder that could parse the important information out of the log message, in this case the username. You would then write a rule based on your decoder that would go off at a higher alert level (10-15, whatever you want).
It's definitely possible but learning the regex can be painful ;) Check out chapter 4 in the OSSEC book. It goes through writing a custom decoder. Thanks On Tuesday, December 18, 2012 1:03:19 PM UTC-5, OSSEC junkie wrote: > > Is there an easy way to just fire an alert off when any event is recorded > into the event viewer from a certain user? I'm curious to see if this > possible? For example, a missed password, failed login, etc...I'm wanting > to get notified on this activity or any activity on a particular user. > Make sense? >
