OK, thats a good point.
Maybe on the first syscheck, saving the owner of the file at that moment (windows permissions) and then using it as reference ? 2012/9/25 dan (ddp) <ddp...@gmail.com> > On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez > <ajm.marti...@gmail.com> wrote: > > Thanks Dan. > > > > I'll try. > > > > My idea is to register the usern logged on a computer that deletes or > > modifies a file (like windows security log). > > > > maybe some mix between them... > > > > There's too much of a chance for false positives. Many systems are > multi-user these days. I was hoping for a file attribute that possibly > tracked the last user to modify the file. > > > 2012/9/25 dan (ddp) <ddp...@gmail.com> > > > >> On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez > >> <ajm.marti...@gmail.com> wrote: > >> > OK, > >> > thanks. > >> > > >> > >> If you know a good way to get that info, let us know. We can try to > >> get it in after 2.7. > >> > >> > 2012/9/25 dan (ddp) <ddp...@gmail.com> > >> > > >> >> F we could magically associate a username with a file modification it > >> >> would be the default. > >> >> > >> >> On Sep 25, 2012 6:08 AM, "Alejandro" <ajm.marti...@gmail.com> wrote: > >> >>> > >> >>> Hi. > >> >>> > >> >>> I'm using ossec to monitor some windows agents on 2003 server. > >> >>> > >> >>> The server is running centos and saving the information in a mysql > >> >>> database. > >> >>> > >> >>> When I receive a syscheck event from windows (file modified, deleted > >> >>> or > >> >>> added) the username is empty. > >> >>> > >> >>> Is it possible to modify some rule to have that username logged on > the > >> >>> event ? > >> >>> > >> >>> Thanks a lot. > >> > > >> > > > > > >