In my case, I just wanna get this log in ossec server:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/20/2009
Time: 4:54:04 PM
User: UFBA\user1
Computer: server1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\foo\path\index.html
Handle ID: 51652
Operation ID: {0,2956632565}
Process ID: 4
Image File Name:
Primary User Name: server1$
Primary Domain: DOMAIN1
Primary Logon ID: (0x0,0x3E7)
Client User Name: user1
Client Domain: DOMAIN1
Client Logon ID: (0x0,0xB0216AFA)
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080
I already get others logs from this server, but I think that there isn't
any decoder or rule to handle this type of log in my ossec server.
Thank you.
--
Rafael Brito Gomes
Projeto UFBA
LPIC-1
CPM Braxis
Tel : +55 71 3283 6102
http://www.cpmbraxis.com
