How to check file access from users

[Uğur Aygün]

Hi all

I want to check file access from users. I mean when they accessed a file and if they delete or change it etc. 

I want to see their actions on my fileserver not on their local computers by the way.

How can i write it to the ossec.conf ? or do i need to do anyting.

Thanks for your answers.

[Aditya Sharma]

Hi Ugur, Hope you are doing well!

As you want to see the File Integrity Monitoring on your servers, you just need to follow the below documentation to achieve this: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html &https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#fim-examples

Remember to see that exact user, you need to enable the Whodata on the servers/agents, and to enable whodata, you need to start the auditd service on the agent itself.

I hope this helps you. Don't hesitate to ask your questions/concerns.

Regards
Aditya Sharma

[Uğur Aygün]

Thank you Aditya for your fast answer and i hope you are also good;

I just want to know one think;

My fileserver actually is not a server at all it is more like a disc that user will see data so i can not setup any agent to my fileserver side.

Is it still possible to see the logs that which user changed which file with using the methods you mentioned above ?

Thank you again and sorry for my ignorance because i am very new to wazuh 

29 Kasım 2022 Salı tarihinde saat 10:09:31 UTC+3 itibarıyla aditya...@wazuh.com şunları yazdı:

[Aditya Sharma]

Hi Ugur, Sorry for the late response!

Can you please explain a little but more about what exactly you are trying to achieve here?

Regards
Aditya Sharma