You need to enable Auditd on your system: http://serverfault.com/questions/470755/log-all-commands-run-by-admins-on-production-servers
Then you can use our rules for Auditd. https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/auditd_rules.xml Hope that helps On Wed, Feb 10, 2016 at 5:52 PM, Yon Sareourn <[email protected]> wrote: > *Dear OSSEC Technical Team* > > All this user login on Linux and then all this user try to create some > command or type other command all this user and then i want to get log. > > Would you tell me how to configuration all this user log what they do or > configuration on my Linux ? > > How to get log all this user when they configuration and create some > function on Linux ? > > Thank you , > > > > On Wednesday, February 10, 2016 at 6:52:31 PM UTC+7, dan (ddpbsd) wrote: >> >> >> On Feb 10, 2016 6:16 AM, "Yon Sareourn" <[email protected]> wrote: >> > >> > Dear All OSSEC Technecal Team >> > >> > Good afternoon, >> > >> > I have some configuration relate with Ossec for get all log from user >> that create on Linux Redhet and this time we have 3 user create on Linux >> (Example: root, user01, user02), And I can configuration to get log only >> one user (root). >> > >> > Would you explain me how to configuration to get all log from user in >> Linux ? >> > May you tell me how to configuration on OSSEC to get all Log from Linux >> ? >> > >> >> What logs do you want to get from the user? Look at the documentation for >> localfile on how to add log sourcesto ossec. >> >> > Thank you, >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
