Thanks Dan. I'll try.
My idea is to register the usern logged on a computer that deletes or modifies a file (like windows security log). maybe some mix between them... 2012/9/25 dan (ddp) <ddp...@gmail.com> > On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez > <ajm.marti...@gmail.com> wrote: > > OK, > > thanks. > > > > If you know a good way to get that info, let us know. We can try to > get it in after 2.7. > > > 2012/9/25 dan (ddp) <ddp...@gmail.com> > > > >> F we could magically associate a username with a file modification it > >> would be the default. > >> > >> On Sep 25, 2012 6:08 AM, "Alejandro" <ajm.marti...@gmail.com> wrote: > >>> > >>> Hi. > >>> > >>> I'm using ossec to monitor some windows agents on 2003 server. > >>> > >>> The server is running centos and saving the information in a mysql > >>> database. > >>> > >>> When I receive a syscheck event from windows (file modified, deleted or > >>> added) the username is empty. > >>> > >>> Is it possible to modify some rule to have that username logged on the > >>> event ? > >>> > >>> Thanks a lot. > > > > >