I am testing OSSEC and running the most current versions of the server and
agent .
On a Windows machine that is running the agent, I pguibord removed user
jszostak from the Administrators group and below is the actual windows event
veiwer event that was logged. All is good.
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 637
Date: 8/26/2009
Time: 4:32:06 PM
User: JUMP1\pguibord
Computer: JUMP1
Description:
Security Enabled Local Group Member Removed:
Member Name: -
Member ID: JUMP1\jszostak
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: BUILTIN\Administrators
Caller User Name: pguibord
Caller Domain: JUMP1
Caller Logon ID: (0x0,0x5E3075)
Privileges: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp .
As you can see above pguibord removed user jszostak from the Administrators
group.
Below you can see the actual OSSEC syslog message that was sent as an email
alert. Herein lies the problem. Out of this I can see pguibord removed someone
from the administrators group but do not know who was removed and need to know.
Any thoughts folks, please?
Received From: (JumpStation1) 172.16.15.18->WinEvtLog
Rule: 18114 fired (level 8) -> "Group account changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(637): Security: pguibord: JUMP1: JUMP1:
Security Enabled Local Group Member Removed: Member Name: -
Member ID: %{S-1-5-21-3595745658-3963117629-2623638570-1012} Target Account
Name: Administrators Target Domain: Builtin Target Account ID:
%{S-1-5-32-544} Caller User Name: pguibord Caller Domain: JUMP1
Caller Logon ID: (0x0,0x5E3075) Privileges: -
