[ossec-list] msauth logs - extract real user and IP

Hi, I'm passing log files from Domain Controllers via the OSSEC agent, and trying to refine the decoders for logon events. As standard, the event logs the User as SYSTEM, as this is what raises the event. The event logs contain the User Name and Client IP. I've added a new decoder to

[ossec-list] Re: msauth logs - extract real user and IP

OK, in further digging, it doesn't work. It seemed to work under ossec-logtest, but no alerts were firing in the real world. The issue I'm having is the multiple attempts alerts are firing if 10 logins fail, regardless of the user, because they all show as the SYSTEM user. Thanks On

Re: [ossec-list] Re: msauth logs - extract real user and IP

On Tue, Nov 6, 2012 at 8:17 AM, Chris H chris.hemb...@gmail.com wrote: OK, in further digging, it doesn't work. It seemed to work under ossec-logtest, but no alerts were firing in the real world. The issue I'm having is the multiple attempts alerts are firing if 10 logins fail, regardless of

Re: [ossec-list] msauth logs - extract real user and IP

On Tue, Nov 6, 2012 at 6:13 AM, Chris H chris.hemb...@gmail.com wrote: Hi, I'm passing log files from Domain Controllers via the OSSEC agent, and trying to refine the decoders for logon events. As standard, the event logs the User as SYSTEM, as this is what raises the event. The event logs

Re: [ossec-list] Re: msauth logs - extract real user and IP

On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 8:17 AM, Chris H chris@gmail.com javascript: wrote: OK, in further digging, it doesn't work. It seemed to work under ossec-logtest, but no alerts were firing in the real world. The issue

Re: [ossec-list] msauth logs - extract real user and IP

On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 6:13 AM, Chris H chris@gmail.com javascript: wrote: Hi, I'm passing log files from Domain Controllers via the OSSEC agent, and trying to refine the decoders for logon events. As standard,

Re: [ossec-list] Re: msauth logs - extract real user and IP

On Tue, Nov 6, 2012 at 11:19 AM, Chris H chris.hemb...@gmail.com wrote: On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 8:17 AM, Chris H chris@gmail.com wrote: OK, in further digging, it doesn't work. It seemed to work under ossec-logtest, but

Re: [ossec-list] msauth logs - extract real user and IP

On Tue, Nov 6, 2012 at 11:39 AM, Chris H chris.hemb...@gmail.com wrote: On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 6:13 AM, Chris H chris@gmail.com wrote: Hi, I'm passing log files from Domain Controllers via the OSSEC agent, and trying

Re: [ossec-list] Re: msauth logs - extract real user and IP

On Tuesday, November 6, 2012 4:58:24 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 11:19 AM, Chris H chris@gmail.comjavascript: wrote: On Tuesday, November 6, 2012 2:25:42 PM UTC, dan (ddpbsd) wrote: On Tue, Nov 6, 2012 at 8:17 AM, Chris H chris@gmail.com wrote:

[ossec-list] Re: Overriding composite rule (18152)

This is a stretch being that this appears to be dead, but any luck with it? I'm attempting to do the something very similar. Wish to disregard failed logons of a specific user. On Thursday, February 2, 2012 10:57:52 AM UTC-5, Jeremy Schultz wrote: I knew I was missing something simple,