prelude events
Steve Grubb
sgrubb at redhat.com
Mon Aug 25 20:41:47 UTC 2008
On Monday 25 August 2008 16:24:35 LC Bruzenak wrote:
> I think I just saw the answer in the audisp-prelude man page:
> ...
> -w /etc/shadow -p wa
>
> and you want idmef alerts on this, you need to add -k
> ids-file-med or something appropriate to signal to the plugin
> that this message is for it.
Yes, you'd add -k ids-file- and the one of: info, low, med, or high
depending on how severe you consider this access.
-Steve
More information about the Linux-audit
mailing list