Hi Steve, OSSEC monitors logs. Generally the *output* from sudo commands is not logged. (There is a LOG_OUTPUT option that can be configured in sudoers, but those logs are generated in a special format that would probably be hard for OSSEC to parse - since command output might be extensive and unformatted. The sudoreplay command can be used to play back a logged session, though.)
Christina Sent from mobile > On Oct 4, 2017, at 10:10 PM, st...@treasure-data.com wrote: > > Hello, > > My team is evaluating OSSEC and we're looking for a method to capture sudo > commands when OOSEC detects the command has been executed. Is this on option > that is available today to capture output? > > > Note: I did see question/response to this going back to 2010. Since I am new > to OSSEC, I am inquiring to see if answer is still valid. > > If this is not an option, how have those using OSSEC addressed the need for > capturing the commands being issued when running 'sudo' that maybe needed for > one's auditing. > > Thanks > > Steve > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.