On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" <
eduardo.reich...@hotmail.com> wrote:
Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?
There is no IP information in the syscheck log messages, so there is
nothing to print.
Hi all,
exist possiblity of write source ip address in eventos of integrity check?
For the alert display real IP?
Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu:
>
> On Fri, Mar 3, 2017 at 3:04 AM, Casimiro
> wrote:
> > I solve my problem with
On Fri, Mar 3, 2017 at 3:04 AM, Casimiro wrote:
> I solve my problem with this solution
>
> https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification
>
>
>
> windows
> ^WinEvtLog:
>
>
>
> windows
> windows
> ^\.+:
I solve my problem with this solution
https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification
windows
^WinEvtLog:
windows
windows
^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, srcuser,
It continues to work with a fresh install of MASTER
**Phase 1: Completed pre-decoding.
full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security:
AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user):
no domain: WK034.dom.com: The Windows Filtering Platform blocked a
On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote:
> Thanks.
> But don't work. It only decode srcip field. Attach the output:
>
> **Phase 1: Completed pre-decoding.
>full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user):
Thanks.
But don't work. It only decode srcip field. Attach the output:
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: (no user): no domain:
WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.
On Mon, Feb 20, 2017 at 6:08 AM, Casimiro wrote:
> Version 2.8
>
> Events:
>
> WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows
> Filtering Platform blocked a packet. Application Information: Process ID: 0