I've never done it for Linux, but in windows,. If object access auditing is
configured, then yes. If not, you'll need to settle for today onward.
Kevin
On Jun 30, 2018 9:37 AM, "bill890" wrote:
Hello Forum
Is it possible to monitor every change of a selected file/folder, from the
point of
I have had luck with the following config for DHCP logs.
%windir%/sysnative/Dhcp/DhcpSrvLog-%a.log
syslog
On Tue, Sep 19, 2017 at 2:40 PM, wrote:
> Hello OSSEC Team,
>
> I need your help to understand what the following error means.
>
> So I have added
It may be possible to co-opt Alienvault's OSSIM opensource code for this
one, if you download and install, you can find the scripts in
/usr/share/ossec-generator. It's also on github here, but there's probably
a more recent version in a new copy of OSSIM.
Well, the version makes all the difference. I set up a test system with
server version 2.91, and agent version 2.90, and everything works nicely.
Now to convince Alienvault to update their product...
On Tue, Aug 8, 2017 at 10:05 AM, Kevin Geil <i...@friendandfamilytech.com>
wrote:
&g
Thanks Alberto, I did try using eventchannel, multi-line (with location of
microsoft-windows-sysmon/operational, and the path to the evtx file), and
eventlog, but I still get multiple line output in alerts.log (or "ERROR:
Unable to open file", depending on the configuration).
>From the reading I
ESTAMP" --> RID: "$RULEID"; RL:
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER";
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
"[INIT]$FULLLOG[END]";
Than
Hi, I'm trying to get OSSEC to alert on sysmon logs. After installing
sysmon, and setting to yes, I do get sysmon events in
archives.log, but I don't get anything useful. The lines stop after the
event description: For example:
2017 Aug 03 00:00:35 (Win7-1) 0.0.0.0->WinEvtLog 2017 Aug 03