This translation through OSSEC would be really nice feature. I hope it can
happen!
- Derek Morris
>
> Oh, come on! Don't you guys know out of the top of your heads that
> %%1538 means READ_CONTROL? :)
>
> That's how the event log gives to us when we read from it. The event
> viewer does the translation when
> you open it, but internally they are stored like that. I will make
> sure to look into that before the next release,
> but there is always the discussion between keeping the raw values or
> translating them to something else..
> For now, you can use the raw codes in your rules...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
>
>
>
>
> On Mon, Nov 3, 2008 at 4:29 PM, <[EMAIL PROTECTED]> wrote:
>>
>> Any idea on how I can get Access to show real value instead of %%1538
>> and so on?
>>
>> thanks
>>
>> On Oct 31, 12:06 pm, [EMAIL PROTECTED] wrote:
>>> Looking at the logs my Windows-Ossec agent send:
>>>
>>> 2008/10/31 12:57:21 ossec-agent: DEBUG: Sending message to server:
>>> 'WinEvtLog: Security: AUDIT_SUCCESS(560): Security: Administrator:
>>> GONAPASMG01: GONAPASMG01: Object Open: Object Server: Security
>>> Object Type: File Object Name: C:\checkme\New Text Document
>>> (4).txt Handle ID: 1340 Operation ID: {0,794511700}
>>> Process ID: 3596 Image File Name: C:\MSWD\explorer.exe
>>> Primary
>>> User Name: Administrator Primary Domain: GONAPASMG01 Primary
>>> Logon ID: (0x0,0x2F40576F) Client User Name: - Client Domain:
>>> - Client Logon ID: - Accesses: %%1538
>>> %%1541 %%4416
>>> %%4417 %%4418
>>> %%4419 %%4420
>>> %%4423
>>> %%4424
>>> Privileges: - Restricted Sid
>>> Count:
>>> 0 Access Mask:
>>> 0x12019F '
>>>
>>> Accesses is missing. Here is the copy of the same log copy from
>>> Windows Event log.
>>>
>>> Event Type: Success Audit
>>> Event Source: Security
>>> Event Category: Object Access
>>> Event ID: 560
>>> Date: 10/31/2008
>>> Time: 12:57:19 PM
>>> User: GONAPASMG01\Administrator
>>> Computer: GONAPASMG01
>>> Description:
>>> Object Open:
>>> Object Server: Security
>>> Object Type: File
>>> Object Name: C:\checkme\New Text Document (4).txt
>>> Handle ID: 1340
>>> Operation ID: {0,794511700}
>>> Process ID: 3596
>>> Image File Name: C:\MSWD\explorer.exe
>>> Primary User Name: Administrator
>>> Primary Domain: GONAPASMG01
>>> Primary Logon ID: (0x0,0x2F40576F)
>>> Client User Name: -
>>> Client Domain: -
>>> Client Logon ID: -
>>> Accesses: READ_CONTROL
>>> SYNCHRONIZE
>>> ReadData (or ListDirectory)
>>> WriteData (or AddFile)
>>> AppendData (or AddSubdirectory or
>>> CreatePipeInstance)
>>> ReadEA
>>> WriteEA
>>> ReadAttributes
>>> WriteAttributes
>>>
>>> Privileges: -
>>> Restricted Sid Count: 0
>>> Access Mask: 0x12019F
>>>
>>> Basically I want to create a rule with event id 560 and add some of
>>> the accesses to the rule, but it seems like my log collector is not
>>> collecting those logs properly. Is it possible to capture those
>>> information?
>>>
>>> thanks
>>
>
