Oh, come on! Don't you guys know out of the top of your heads that
%%1538 means READ_CONTROL? :)
That's how the event log gives to us when we read from it. The event
viewer does the translation when
you open it, but internally they are stored like that. I will make
sure to look into that before the next release,
but there is always the discussion between keeping the raw values or
translating them to something else..
For now, you can use the raw codes in your rules...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Nov 3, 2008 at 4:29 PM, <[EMAIL PROTECTED]> wrote:
>
> Any idea on how I can get Access to show real value instead of %%1538
> and so on?
>
> thanks
>
> On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
>> Looking at the logs my Windows-Ossec agent send:
>>
>> 2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
>> 'WinEvtLog: Security: AUDIT_SUCCESS(560): Security: Administrator:
>> GONAPASMG01: GONAPASMG01: Object Open: Object Server: Security
>> Object Type: File Object Name: C:\checkme\New Text Document
>> (4).txt Handle ID: 1340 Operation ID: {0,794511700}
>> Process ID: 3596 Image File Name: C:\MSWD\explorer.exe
>> Primary
>> User Name: Administrator Primary Domain: GONAPASMG01 Primary
>> Logon ID: (0x0,0x2F40576F) Client User Name: - Client Domain:
>> - Client Logon ID: - Accesses: %%1538
>> %%1541 %%4416
>> %%4417 %%4418
>> %%4419 %%4420
>> %%4423 %%4424
>> Privileges: - Restricted Sid
>> Count: 0 Access Mask:
>> 0x12019F '
>>
>> Accesses is missing. Here is the copy of the same log copy from
>> Windows Event log.
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 10/31/2008
>> Time: 12:57:19 PM
>> User: GONAPASMG01\Administrator
>> Computer: GONAPASMG01
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: File
>> Object Name: C:\checkme\New Text Document (4).txt
>> Handle ID: 1340
>> Operation ID: {0,794511700}
>> Process ID: 3596
>> Image File Name: C:\MSWD\explorer.exe
>> Primary User Name: Administrator
>> Primary Domain: GONAPASMG01
>> Primary Logon ID: (0x0,0x2F40576F)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses: READ_CONTROL
>> SYNCHRONIZE
>> ReadData (or ListDirectory)
>> WriteData (or AddFile)
>> AppendData (or AddSubdirectory or CreatePipeInstance)
>> ReadEA
>> WriteEA
>> ReadAttributes
>> WriteAttributes
>>
>> Privileges: -
>> Restricted Sid Count: 0
>> Access Mask: 0x12019F
>>
>> Basically I want to create a rule with event id 560 and add some of
>> the accesses to the rule, but it seems like my log collector is not
>> collecting those logs properly. Is it possible to capture those
>> information?
>>
>> thanks
>
