--- /dev/null
+<!-- Rules for detecting sensitive users in last logged in users list -->
+<!-- Set level 3 or higher at rule 535 in ossec_rules.xml and comment out <options>no_log</options> to get this working -->
+
+
+<group name="access-control,">
+
+ <rule id="25000" level="7">
+ <if_sid>535</if_sid>
+ <match>root|reboot|admin|superuser|administrator|supervisor|toor</match>
+ <description>sensitive login detected</description>
+ </rule>
+
+</group>