Hi Maxim, although not an out of the box feature (as Dan mentioned), the identification of the user who made a change can be done using auditd (on Linux) or enabling audit policies (on Windows).
OSSEC can be used to analyze Auditd logs, and Windows events, (using decoders/rules), generating alerts when a file is modified and extracting fields like username, and even the command used to modify the file. I hope that helps, Santiago. On Thu, Dec 24, 2015 at 2:31 AM, dan (ddp) <[email protected]> wrote: > > On Dec 24, 2015 2:50 AM, "Maxim Surdu" <[email protected]> wrote: > > > > Hi everyone, > > > > I am new in Ossec, i configure ossec-server and ossec agent, all is > working formidable! > > i can see logs when file is change but not who did it and what changed > > can someone help me to set ossec to get more info? > > > > > > Ossec does not report this info. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Any help would be greatly appreciated > > > > Thanks, > > Maxim > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
