On Wed, Jul 5, 2017 at 11:27 AM, Bob Boklewski <bboklew...@aventisasset.com> wrote: > In the OSSEC.conf file I have level 3 logging set. I can't seem to get this > rule to fire that is a predefined rule in the msauth_rules.xml file. I can > see in the windows log event id: 4624, but it won't fire. > > > > <rule id="18107" level="3"> > <if_sid>18104</if_sid> > <id>^528$|^540$|^673$|^4624$|^4769$</id> > <description>Windows Logon Success.</description> > <group>authentication_success,</group> > </rule> > > If I create a custom rule below in the local_rules.xml, it works. I see > that the difference is the level, but I do have level 3 set in the > ossec.conf file so it should fire rules from level 3 through level 16, > right? > > > <rule id="210000" level="5"> > <if_sid>18104</if_sid> > <id>^528$|^540$|^673$|^4624$|^4769$</id> > <description>Windows Logon Success.</description> > </rule> > >
Can you turn on the logall option, restart the ossec server, and provide a log sample from the archives.log file? > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.