Looking at the logs my Windows-Ossec agent send:
2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
'WinEvtLog: Security: AUDIT_SUCCESS(560): Security: Administrator:
GONAPASMG01: GONAPASMG01: Object Open: Object Server: Security
Object Type: File Object Name: C:\checkme\New Text Document
(4).txt Handle ID: 1340 Operation ID: {0,794511700}
Process ID: 3596 Image File Name: C:\MSWD\explorer.exe Primary
User Name: Administrator Primary Domain: GONAPASMG01 Primary
Logon ID: (0x0,0x2F40576F) Client User Name: - Client Domain:
- Client Logon ID: - Accesses: %%1538 %%1541
%%4416
%%4417 %%4418
%%4419 %%4420 %%4423
%%4424
Privileges: - Restricted Sid Count: 0
Access Mask:
0x12019F '
Accesses is missing. Here is the copy of the same log copy from
Windows Event log.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/31/2008
Time: 12:57:19 PM
User: GONAPASMG01\Administrator
Computer: GONAPASMG01
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\checkme\New Text Document (4).txt
Handle ID: 1340
Operation ID: {0,794511700}
Process ID: 3596
Image File Name: C:\MSWD\explorer.exe
Primary User Name: Administrator
Primary Domain: GONAPASMG01
Primary Logon ID: (0x0,0x2F40576F)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
Basically I want to create a rule with event id 560 and add some of
the accesses to the rule, but it seems like my log collector is not
collecting those logs properly. Is it possible to capture those
information?
thanks
