Hi Nicolas,
The following link has some information about it:
http://blog.scottlowe.org/2006/10/23/event-logging-in-ad-integration-scenarios/#comment-5840
To avoid getting all these messages, try a local rule like that (seems
safe to ignore
failure code 0x19 for the event 675):
<rule id="xyz" level="0">
<if_sid>18106</if_sid>
<id>^675</id>
<match>Failure Code:0x19</match>
</rule>
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/9/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
This is the line that is filling my mailbox with rule 8152 fired (level 10)
-> "Multiple Windows Logon Failures.":
Feb 9 08:10:13 windowsbox security[failure] 675 NT AUTHORITY\SYSTEM
Pre-authentication failed: User Name:wolf$ User ID:
%{S-1-5-21-4240589779-2681227299-139461318-2740} Service
Name:krbtgt/COMPANY.COM Pre-Authentication Type:0x0 Failure Code:0x19
Client Address:192.168.4.123
Bassicaly, that line comes from an AD box, who is serving authentication to
a linux with samba file server. The errors are kerberos related, but they
unix guys cant touch that box to fix it.
I want to ignore this particular error.
Cheers!
On Feb 8, 2007, at 11:38 PM, Daniel Cid wrote:
Hi Nicolas,
If you can show us some samples of your logs/alerts, we can probably help
you out...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/6/07, Nicolas Arias <[EMAIL PROTECTED]> wrote:
HI guys!
i have an AD server where some linux servers authenticate with samba.
The thing is that looks like theres some trouble in the linux server
library and its causing kerberos validation trobules in the AD server,
so i get Rule: 18152 fired (level 10) -> "Multiple Windows Logon
Failures." all the time.
I dont want to modify the priority of that rule, but i do want to make
it more flexible, so i dont get 300 alerts in 1 nigth.
Any ideas?
Cheers!
Nicolas Arias
Security Officer
+54 11 4109 1885
+54 9 11 5455 [EMAIL PROTECTED]
