Using Ossec for monitoring access to Folders and files in a Windows Server
Ricardo Marín Vinuesa
Hello everyone,
At this very moment, I would like to log any access to a specific folder and its documents and subfolders. For that, I have modified the local security auditing of the Windows server and I can see how the accesses are being logged in the EventViewer with ID 560.
The problem is that I am not receiving these logs in my Ossec Server. I am able to receive logs from this server regarding logins/logoff of the server (Event ID 540, 538, 528) but I'm not receiving the events with ID 560 (the one related to Auditing).
Do you have any clue of what shall I do?
Thanks a lot!!
Ricardo
This message including any attachments may contain confidential information,
according to our Information Security Management System, and intended solely
for a specific individual to whom they are addressed. Any unauthorised copy,
disclosure or distribution of this message is strictly forbidden. If you have
received this transmission in error, please notify the sender immediately and delete it.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener
información clasificada por su emisor como confidencial en el marco de su
Sistema de Gestión de Seguridad de la Información siendo para uso
exclusivo del destinatario, quedando prohibida su divulgación copia o
distribución a terceros sin la autorización expresa del remitente.
Si Vd. ha recibido este mensaje erróneamente, se ruega lo notifique al
remitente y proceda a su borrado.
Gracias por su
colaboración.
Esta mensagem, incluindo qualquer ficheiro anexo, pode conter informação confidencial,
de acordo com nosso Sistema de Gestão de Segurança da Informação, sendo para uso exclusivo
do destinatário e estando proibida a sua divulgação, cópia ou distribuição a terceiros
sem autorização expressa do remetente da mesma. Se recebeu esta mensagem por engano,
por favor avise de imediato o remetente e apague-a.
Obrigado pela sua colaboração.
dan (ddp)
2011/5/27 Ricardo Marín Vinuesa <rma...@gmv.com>:
> Hello everyone,
>
>
>
> At this very moment, I would like to log any access to a specific folder and
> its documents and subfolders. For that, I have modified the local security
> auditing of the Windows server and I can see how the accesses are being
> logged in the EventViewer with ID 560.
>
>
>
> The problem is that I am not receiving these logs in my Ossec Server. I am
> able to receive logs from this server regarding logins/logoff of the server
> (Event ID 540, 538, 528) but I'm not receiving the events with ID 560 (the
> one related to Auditing).
>
>
>
> Do you have any clue of what shall I do?
>
>
Is there a rule looking for this? I didn't see anything (in a quick
error prone search) for event id 560.
You may need to write a rule to handle this.
Ricardo Marín Vinuesa
I was trying to create the rule but I did not success. I was modifying the my-rules.xml file. Shall I modify any other file?
Thanks a lot!
Ricardo
-----Mensaje original-----
De: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] En nombre de dan (ddp)
Enviado el: viernes, 27 de mayo de 2011 14:07
Para: ossec...@googlegroups.com
Asunto: Re: [ossec-list] Using Ossec for monitoring access to Folders and files in a Windows Server
Hi Ricardo,
puede contener informacion clasificada por su emisor como confidencial
en el marco de su Sistema de Gestion de Seguridad de la
Informacion siendo para uso exclusivo del destinatario, quedando
prohibida su divulgacion copia o distribucion a terceros sin la
autorizacion expresa del remitente. Si Vd. ha recibido este mensaje
erroneamente, se ruega lo notifique al remitente y proceda a su borrado.
Gracias por su colaboracion.
______________________
dan (ddp)
the manager. After modifying this file you'll need to restart the
ossec processes.
Send the rule you've tried and we can try to help get it working. A
sample log would help as well.
2011/5/30 Ricardo Marín Vinuesa <rma...@gmv.com>:
Ricardo Marín Vinuesa
Regards,
Ricardo
-----Mensaje original-----
De: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] En nombre de dan (ddp)
Enviado el: martes, 31 de mayo de 2011 16:42
Ricardo Marín Vinuesa
I was thinking about your proposal and I have realized that I was monitoring the traffic from the server from where the agent should send info to Ossec Server, and it was sending nothing when the Event was produced in Windows.
I mean, every time that a user access to a specific folder, the windows generates an event with ID 560. And the OSSEC Agent was not sending anything to the server, so the local_rules.xml has nothing to parse.
However, we could see traffic when logging in or logging out of the session in the Windows Server.
Does it means that I need to change something in the agent configuration?
Regards,
Ricardo
-----Mensaje original-----
De: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] En nombre de dan (ddp)
Enviado el: martes, 31 de mayo de 2011 16:42
dan (ddp)
> Hi Dan,
>
> I was thinking about your proposal and I have realized that I was monitoring the traffic from the server from where the agent should send info to Ossec Server, and it was sending nothing when the Event was produced in Windows.
>
> I mean, every time that a user access to a specific folder, the windows generates an event with ID 560. And the OSSEC Agent was not sending anything to the server, so the local_rules.xml has nothing to parse.
>
> However, we could see traffic when logging in or logging out of the session in the Windows Server.
>
> Does it means that I need to change something in the agent configuration?
>
Are you sure the agent wasn't sending the information to the manager?
Check the ossec.conf on the agent. I don't know much about Windows
logging, but the default ossec.conf may not be looking at the right
section.