First step, find log samples for the events you are interested in alerting, then start working on decoders...
On Tuesday, December 18, 2012 10:03:19 AM UTC-8, OSSEC junkie wrote: > > Is there an easy way to just fire an alert off when any event is recorded > into the event viewer from a certain user? I'm curious to see if this > possible? For example, a missed password, failed login, etc...I'm wanting > to get notified on this activity or any activity on a particular user. > Make sense? >
