--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Was about to say what Bruce said regarding Windows auditing and customization although I had never tried it before, would be very interested in knowing how to do it!
Regards,
Vicente Muñoz
--
OSSEC HIDS Notification.
2018 Apr 11 09:57:22
Received From: ([SERVER]) any->WinEvtLog
Rule: 100221 fired (level 7) -> "FIM: Audited file has been DELETED."
User: [USER_ACCOUNT]
Portion of the log(s):
2018 Apr 11 09:57:17 WinEvtLog: Security: AUDIT_SUCCESS(4659): Microsoft-Windows-Security-Auditing: (no user): no domain: [SERVEDR]: A handle to an object was requested with intent to delete. Subject: Security ID: [SID] Account Name: [USER_ACCOUNT] Account Domain: [DOMAIN] Logon ID: 0xa4dbac32 Object: Object Server: Security Object Type: File Object Name: [FULL_PATH_AND_FILE_NAME] Handle ID: 0x0 Process Information: Process ID: 0x4 Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: %%1537 %%4423 Access Mask: 0x10080 Privileges Used for Access Check: -
Hello All
I was wondering by chance does anyone have something like this for Linux and if they do please can you share the config ?
Thank you in advance
Respectfully Yours
Charles McKee
DecisivEdge, LLC
O: 302.299.1570 x432 | C: 302.320.6968 | F: 302.299.1578
131 Continental Dr | Suite 409 | Newark, DE 19713
charle...@decisivedge.com | www.DecisivEdge.com
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On Behalf Of Bruce Westbrook
Sent: Wednesday, April 11, 2018 11:14 AM
To: ossec-list <ossec...@googlegroups.com>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
This email and any files transmitted with it are considered privileged and confidential unless otherwise explicitly stated otherwise. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. All email data and contents may be monitored to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized use, and to verify security procedures, survivability and operational security. Under no circumstance should the user of this email have an expectation of privacy for this correspondence.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.