[ossec-list] Re: Windows Log collected

Mon, 03 Nov 2008 12:45:12 -0800 

Any idea on how I can get Access to show real value instead of %%1538
and so on?

thanks

On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
> Looking at the logs my Windows-Ossec agent send:
>
> 2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
> 'WinEvtLog: Security: AUDIT_SUCCESS(560): Security: Administrator:
> GONAPASMG01: GONAPASMG01: Object Open:          Object Server: Security
> Object Type: File       Object Name: C:\checkme\New Text Document
> (4).txt         Handle ID: 1340         Operation ID: {0,794511700}
> Process ID: 3596        Image File Name: C:\MSWD\explorer.exe           
> Primary
> User Name: Administrator        Primary Domain: GONAPASMG01     Primary
> Logon ID: (0x0,0x2F40576F)      Client User Name: -     Client Domain:
> -       Client Logon ID: -      Accesses: %%1538                        
> %%1541                          %%4416
>                         %%4417                          %%4418                
>           %%4419                          %%4420                          
> %%4423                          %%4424
>                                 Privileges: -           Restricted Sid Count: 
> 0         Access Mask:
> 0x12019F    '
>
> Accesses is missing. Here is the copy of the same log copy from
> Windows Event log.
>
> Event Type:     Success Audit
> Event Source:   Security
> Event Category: Object Access
> Event ID:       560
> Date:           10/31/2008
> Time:           12:57:19 PM
> User:           GONAPASMG01\Administrator
> Computer:       GONAPASMG01
> Description:
> Object Open:
>         Object Server:  Security
>         Object Type:    File
>         Object Name:    C:\checkme\New Text Document (4).txt
>         Handle ID:      1340
>         Operation ID:   {0,794511700}
>         Process ID:     3596
>         Image File Name:        C:\MSWD\explorer.exe
>         Primary User Name:      Administrator
>         Primary Domain: GONAPASMG01
>         Primary Logon ID:       (0x0,0x2F40576F)
>         Client User Name:       -
>         Client Domain:  -
>         Client Logon ID:        -
>         Accesses:       READ_CONTROL
>                         SYNCHRONIZE
>                         ReadData (or ListDirectory)
>                         WriteData (or AddFile)
>                         AppendData (or AddSubdirectory or CreatePipeInstance)
>                         ReadEA
>                         WriteEA
>                         ReadAttributes
>                         WriteAttributes
>
>         Privileges:     -
>         Restricted Sid Count:   0
>         Access Mask:    0x12019F
>
> Basically I want to create a rule with event id 560 and add some of
> the accesses to the rule, but it seems like my log collector is not
> collecting those logs properly. Is it possible to capture those
> information?
>
> thanks

Reply via email to