[ossec-list] Way to log all commands run after sudo'ing/su'ing [to "root"]

Hi all, Just wondering if OSSEC has the ability to capture all commands run after sudo'ing or su'ing to root (or another privileged user, etc). TIA!

[ossec-list] Way to log all commands run after sudoing/suing [to "root"]

Hi all, Just wondering if OSSEC has the ability to capture all commands run after sudoing or su'ing to root (or another privileged user, etc).

RE: [ossec-list] Client daemons not detected by OSSEC-control

Yes, it is always the same processes (logcollector and syscheckd). The clients were all binary RPM installs. Permissions and PID files look correct; here are the results after stopping the client: # ps ax |grep oss 7410 ?S 0:00 /var/ossec/bin/client-logcollector 7414 ?S

[ossec-list] Problem with Windows decoder

Guys, I have a domain controller with ossec agent. Below default rules of ossec: 18105 ^672|^673|^675|^676|^681|^4769 Windows DC Logon Failure. win_authentication_failed, Logon failed put the information in my log files: Rule: 18139 (level 5) -> 'Windows DC Logon Failure.

Re: [ossec-list] syslog question - config at client or server?

On Mon, Aug 16, 2010 at 6:44 AM, GeorgeY wrote: > Hi all, > > Please forgive me if this has been asked before. I researched and > found a lot related to syslog but nothing really gave me a clear > picture. > > I noticed Windows event viewer events being logged in /ossec/logs/ > alerts. I know thes

Re: [ossec-list] Client daemons not detected by OSSEC-control

On Mon, Aug 16, 2010 at 8:18 AM, David Porcello wrote: > Hi all, > > I'm running OSSEC client 2.4.1 on a handful of RedHat EL 5.5 servers and I'm > seeing the following behavior across the board: It appears that > client-logcollector and client-syscheckd aren't detected as running, and > theref

[ossec-list] Client daemons not detected by OSSEC-control

Hi all, I'm running OSSEC client 2.4.1 on a handful of RedHat EL 5.5 servers and I'm seeing the following behavior across the board: It appears that client-logcollector and client-syscheckd aren't detected as running, and therefore aren't stopped by ossec-control. When this occurs, multiple ins

[ossec-list] syslog question - config at client or server?

Hi all, Please forgive me if this has been asked before. I researched and found a lot related to syslog but nothing really gave me a clear picture. I noticed Windows event viewer events being logged in /ossec/logs/ alerts. I know these events are generated if any events match those listed under /

[ossec-list] Re: Windows installation - attempting mass deployment

@D.B.: did you use wininstall LE for ossec? The one I created using "Advanced Installer" was corrupt - it installed but could not get the service created and not too sure about the reg keys too. On Aug 13, 5:24 pm, smokey wrote: > Michael, thanks for the tip;) > > @GeorgeY: i'm using  wininstall