[ossec-list] Re: Windows Log collected

Tue, 04 Nov 2008 05:06:11 -0800 

http://my.opera.com/Lee_Harvey/blog/2008/10/14/microsoft-windows-security-audit-event-accesses-ids

I'm guessing something needs to be added that can interpret those codes.

On Mon, Nov 3, 2008 at 2:29 PM,  <[EMAIL PROTECTED]> wrote:
>
> Any idea on how I can get Access to show real value instead of %%1538
> and so on?
>
> thanks
>
> On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
>> Looking at the logs my Windows-Ossec agent send:
>>
>> 2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
>> 'WinEvtLog: Security: AUDIT_SUCCESS(560): Security: Administrator:
>> GONAPASMG01: GONAPASMG01: Object Open:          Object Server: Security
>> Object Type: File       Object Name: C:\checkme\New Text Document
>> (4).txt         Handle ID: 1340         Operation ID: {0,794511700}
>> Process ID: 3596        Image File Name: C:\MSWD\explorer.exe           
>> Primary
>> User Name: Administrator        Primary Domain: GONAPASMG01     Primary
>> Logon ID: (0x0,0x2F40576F)      Client User Name: -     Client Domain:
>> -       Client Logon ID: -      Accesses: %%1538                        
>> %%1541                          %%4416
>>                         %%4417                          %%4418               
>>            %%4419                          %%4420                          
>> %%4423                          %%4424
>>                                 Privileges: -           Restricted Sid 
>> Count: 0         Access Mask:
>> 0x12019F    '
>>
>> Accesses is missing. Here is the copy of the same log copy from
>> Windows Event log.
>>
>> Event Type:     Success Audit
>> Event Source:   Security
>> Event Category: Object Access
>> Event ID:       560
>> Date:           10/31/2008
>> Time:           12:57:19 PM
>> User:           GONAPASMG01\Administrator
>> Computer:       GONAPASMG01
>> Description:
>> Object Open:
>>         Object Server:  Security
>>         Object Type:    File
>>         Object Name:    C:\checkme\New Text Document (4).txt
>>         Handle ID:      1340
>>         Operation ID:   {0,794511700}
>>         Process ID:     3596
>>         Image File Name:        C:\MSWD\explorer.exe
>>         Primary User Name:      Administrator
>>         Primary Domain: GONAPASMG01
>>         Primary Logon ID:       (0x0,0x2F40576F)
>>         Client User Name:       -
>>         Client Domain:  -
>>         Client Logon ID:        -
>>         Accesses:       READ_CONTROL
>>                         SYNCHRONIZE
>>                         ReadData (or ListDirectory)
>>                         WriteData (or AddFile)
>>                         AppendData (or AddSubdirectory or CreatePipeInstance)
>>                         ReadEA
>>                         WriteEA
>>                         ReadAttributes
>>                         WriteAttributes
>>
>>         Privileges:     -
>>         Restricted Sid Count:   0
>>         Access Mask:    0x12019F
>>
>> Basically I want to create a rule with event id 560 and add some of
>> the accesses to the rule, but it seems like my log collector is not
>> collecting those logs properly. Is it possible to capture those
>> information?
>>
>> thanks
>

Reply via email to