This may help in building rules to monitor. Also the Event IDs change based on OS Version (Vista+)
http://blogs.msdn.com/b/ericfitz/archive/2006/03/07/545726.aspx Events 560, 562, 563, 564, 567, and each of those adding 4096 for Vista+ are all relevant, and not currently within ossec rule sets. This depends on having Windows Auditing set to audit object access, which is difficult to make sure works according to plan, see this: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx I know this info is Windows 7 and 2008 based, but the concepts are the same, Windows has evolved, and with Domain, Local and auditpol.exe access to Policy settings, that all have different refresh times and overrides, this can get clustered quickly. Net result is auditpol.exe /get /category:* is the best resource for actual up to the minute Audit Policy settings, but this will change if you have competing polices! On Sep 25, 2012, at 7:01 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Tue, Sep 25, 2012 at 8:43 AM, Alejandro Martinez > <ajm.marti...@gmail.com> wrote: >> Thanks Dan. >> >> I'll try. >> >> My idea is to register the usern logged on a computer that deletes or >> modifies a file (like windows security log). >> >> maybe some mix between them... >> > > There's too much of a chance for false positives. Many systems are > multi-user these days. I was hoping for a file attribute that possibly > tracked the last user to modify the file. > >> 2012/9/25 dan (ddp) <ddp...@gmail.com> >> >>> On Tue, Sep 25, 2012 at 6:22 AM, Alejandro Martinez >>> <ajm.marti...@gmail.com> wrote: >>>> OK, >>>> thanks. >>>> >>> >>> If you know a good way to get that info, let us know. We can try to >>> get it in after 2.7. >>> >>>> 2012/9/25 dan (ddp) <ddp...@gmail.com> >>>> >>>>> F we could magically associate a username with a file modification it >>>>> would be the default. >>>>> >>>>> On Sep 25, 2012 6:08 AM, "Alejandro" <ajm.marti...@gmail.com> wrote: >>>>>> >>>>>> Hi. >>>>>> >>>>>> I'm using ossec to monitor some windows agents on 2003 server. >>>>>> >>>>>> The server is running centos and saving the information in a mysql >>>>>> database. >>>>>> >>>>>> When I receive a syscheck event from windows (file modified, deleted >>>>>> or >>>>>> added) the username is empty. >>>>>> >>>>>> Is it possible to modify some rule to have that username logged on the >>>>>> event ? >>>>>> >>>>>> Thanks a lot. >>>> >>>> >> >>
