Hello All. Kindly help me with mail below to redeem my time spent on reviewing OSSEC please. My Management are complaining I have spent too much time on OSSEC PoC because we have more Windows 2003 boxes
Best regards, Kelly ----- Original Message ----- From: Kelly Egode To: [email protected] Sent: Monday, July 20, 2009 9:26 AM Subject: Re: [ossec-list] Re: Windows Audit Hello Daniel, I am having similar issues. I have been able to install and configure client/server installation on a windows 2003 box/linux. But my challenge is I can only get this logs: ** Alert 1247727461.1398511: - windows, 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog Rule: 18105 (level 4) -> 'Windows audit failure event.' Src IP: (none) User: Taiwo.Aluko WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko: APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O bject Server: Security Object Type: Directory Object Name: \Driver Handle ID: - Op eration ID: {0,1946955072} Process ID: 436 Image File Name: C:\WINDOWS\system32\services.exe Pri mary User Name: APPDEVDB-BACKUP$ Primary Domain: GTBPLC Primary Logon ID: (0x0,0x3E7) Client User Name: Taiwo.Aluko Client Domain: APPDEVDB-BACKUP Client Logon ID: (0x0,0xF7F86C1) Accesses: %%4 368 %%4369 Privileges: - Restricted Sid Count: 0 Access Mask: 0x3 ** Alert 1247727461.1399326: - windows, 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog Rule: 18105 (level 4) -> 'Windows audit failure event.' Src IP: (none) User: Taiwo.Aluko WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko: APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O bject Server: Security Object Type: Directory Object Name: \Driver Handle ID: - Op eration ID: {0,1946955073} Process ID: 436 Image File Name: C:\WINDOWS\system32\services.exe Pri mary User Name: APPDEVDB-BACKUP$ Primary Domain: GTBPLC Primary Logon ID: (0x0,0x3E7) Client User Name: Taiwo.Aluko Client Domain: APPDEVDB-BACKUP Client Logon ID: (0x0,0xF7F86C1) Accesses: %%4 368 %%4369 Privileges: - Restricted Sid Count: 0 Access Mask: 0x3 ** Alert 1247727461.1400141: mail - windows, 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.' on alert.log. Kindly guide me on how to fine tune the rules and decoders to be able to spool other logs and alerts. Thanks hope to hear from you soonest. Best regards, Kelly Egode. : ----- Original Message ----- From: "Daniel Cid" <[email protected]> To: <[email protected]> Sent: Monday, July 20, 2009 4:56 AM Subject: [ossec-list] Re: Windows Audit > > Hi Rafael, > > OSSEC already have decoders for Windows audit logs. If you are not > seeing them on the > alerts.log file you may need to modify some rules to increase the > severity of these > events. > > Post the Windows event ids of them so we can help (just look at the > Windows event viewer). > > Thanks, > > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Thu, Jul 16, 2009 at 10:47 AM, Rafael Gomes<[email protected]> wrote: >> >> I am applying the audit of windows to log every change in its folders. >> >> How can I get this logs in Ossec server? >> >> Already is there a decoder or rule to do this? >> >> Thanks, >> >> -- >> Rafael Brito Gomes >> Projeto UFBA >> LPIC-1 >> CPM Braxis >> Tel : +55 71 3283 6102 >> http://www.cpmbraxis.com >>
