Hi, It seems the windows event id 680 is "discarded" with level 0. Could you increase its level so it is logged normally, like 3? Imho it is a normal logon event in windows 2000 and is the only event logged when successfully binding to a windows 2000 dc via ldap. It is also logged when using NTLM or i think any product using a specific api. Please note on server 2003 it is also used for logon failures. (i've read that)
What for are the credentials I had to provide when installing ossec- wui? My ossec server is collecting acting as (sys)loghost for all other servers. So every syslog message that triggers an alert generates two alerts. One from the agent and one on the server. What would you suggest is the best way to avoid that -> generate only 1 alert ? tia + best regards, matthias
