I have the ossec agent installed on a Windows 2008 R2 domain controller. I am receiving TONS of the following alerts:
OSSEC HIDS Notification. 2010 Apr 13 19:45:09 Received From: (<FQDN>) <SERVER IP>->WinEvtLog Rule: 18152 fired (level 10) -> "Multiple Windows Logon Failures." Portion of the log(s): WinEvtLog: Security: AUDIT_FAILURE(4769): Microsoft-Windows-Security- Auditing: (no user): no domain: <FQDN>: A Kerberos service ticket was requested. Account Information: Account Name: <ACCOUNT NAME><mailto:[email protected]> Account Domain: <DOMAIN> Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: <SERVICE NAME> Service ID: S-1-0-0 Network Information: Client Address: 10.70.2.64 Client Port: 3470 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0xffffffff Failure Code: 0x1b Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. When digging in the event viewer logs on the DC, I see that event ID 4769 is "Kerberos service ticket was requested". This event is tagged with the keywords of "Audit Failure" and Level of the event is "Information". Since this is an informational request of a kerberos ticket, should this be a level 10 alert? Thanks
