Hello Kelly, I am not entirely clear on what you are trying to do with that log output. You said finetune, did you mean you want to get rid of false-positives such as the one in the mail below?
Kelly Egode wrote: > Hello All. > > Kindly help me with mail below to redeem my time spent on reviewing > OSSEC please. > My Management are complaining I have spent too much time on OSSEC PoC > because we have more Windows 2003 boxes > > Best regards, > Kelly > > ----- Original Message ----- > *From:* Kelly Egode <mailto:[email protected]> > *To:* [email protected] > <mailto:[email protected]> > *Sent:* Monday, July 20, 2009 9:26 AM > *Subject:* Re: [ossec-list] Re: Windows Audit > > Hello Daniel, > > I am having similar issues. > I have been able to install and configure client/server > installation on a windows 2003 box/linux. > But my challenge is I can only get this logs: > > > > ** Alert 1247727461.1398511: - windows, > 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog > Rule: 18105 (level 4) -> 'Windows audit failure event.' > Src IP: (none) > User: Taiwo.Aluko > WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko: > APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O > bject Server: Security Object Type: Directory > Object Name: \Driver Handle ID: - Op > eration ID: {0,1946955072} Process ID: 436 > Image File Name: C:\WINDOWS\system32\services.exe Pri > mary User Name: APPDEVDB-BACKUP$ Primary Domain: > GTBPLC Primary Logon ID: (0x0,0x3E7) Client User > Name: Taiwo.Aluko Client Domain: > APPDEVDB-BACKUP Client Logon ID: (0x0,0xF7F86C1) > Accesses: %%4 > 368 %%4369 > Privileges: - Restricted Sid Count: 0 > Access Mask: 0x3 > > ** Alert 1247727461.1399326: - windows, > 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog > Rule: 18105 (level 4) -> 'Windows audit failure event.' > Src IP: (none) > User: Taiwo.Aluko > WinEvtLog: Security: AUDIT_FAILURE(560): Security: Taiwo.Aluko: > APPDEVDB-BACKUP: APPDEVDB-BACKUP: Object Open: O > bject Server: Security Object Type: Directory > Object Name: \Driver Handle ID: - Op > eration ID: {0,1946955073} Process ID: 436 > Image File Name: C:\WINDOWS\system32\services.exe Pri > mary User Name: APPDEVDB-BACKUP$ Primary Domain: > GTBPLC Primary Logon ID: (0x0,0x3E7) Client User > Name: Taiwo.Aluko Client Domain: > APPDEVDB-BACKUP Client Logon ID: (0x0,0xF7F86C1) > Accesses: %%4 > 368 %%4369 > Privileges: - Restricted Sid Count: 0 > Access Mask: 0x3 > > ** Alert 1247727461.1400141: mail - windows, > 2009 Jul 16 07:57:41 (APPDEVBCK) 10.1.1.116->WinEvtLog > Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.' > > on alert.log. Kindly guide me on how to fine tune the rules and > decoders to be able to spool other logs and alerts. > Thanks hope to hear from you soonest. > > Best regards, > Kelly Egode. > > > : > > > ----- Original Message ----- > From: "Daniel Cid" <[email protected] > <mailto:[email protected]>> > To: <[email protected] <mailto:[email protected]>> > Sent: Monday, July 20, 2009 4:56 AM > Subject: [ossec-list] Re: Windows Audit > > > > > Hi Rafael, > > > > OSSEC already have decoders for Windows audit logs. If you are not > > seeing them on the > > alerts.log file you may need to modify some rules to increase the > > severity of these > > events. > > > > Post the Windows event ids of them so we can help (just look at the > > Windows event viewer). > > > > Thanks, > > > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On Thu, Jul 16, 2009 at 10:47 AM, Rafael > Gomes<[email protected] <mailto:[email protected]>> wrote: > >> > >> I am applying the audit of windows to log every change in its > folders. > >> > >> How can I get this logs in Ossec server? > >> > >> Already is there a decoder or rule to do this? > >> > >> Thanks, > >> > >> -- > >> Rafael Brito Gomes > >> Projeto UFBA > >> LPIC-1 > >> CPM Braxis > >> Tel : +55 71 3283 6102 > >> http://www.cpmbraxis.com > >> >
