 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | About BLU |
Greetings Everyone,
I've just recently installed OSSEC on my main Linux server and agents on my
Windows servers. I want to be alerted whenever ANY administrator account
logs into our servers.
So... I've edited the local_rules.xml and tried to add these entries:
<group name="syslog,fts,">
<rule id="100003" level="3">
<options>alert_by_email</options>
<group>authentication_success</group>
<description>Administrative Login! </description>
<match>administrator</match>
</rule>
</group>
<group name="syslog,fts,">
<rule id="100004" level="3">
<options>alert_by_email</options>
<group>authentication_success</group>
<description>Administrative Login! </description>
<user>everon</user>
</rule>
</group>
<group name="local,">
<rule id="100005" level="3">
<group>authentication_success,</group>
<if_sid>18104</if_sid>
<id>^528|^540|^672|^673|^4624|^4769</id>
<description>Windows Logon Success.</description>
<options>alert_by_email</options>
<user>root</user>
</rule>
</group>
For some reason none of these seem to work correctly. I'm not sure I
understand what I'm doing, but am open to some ideas on what to do...
-chris-
