[ossec-list] OSSEC Reports for windows users

Mon, 06 Dec 2010 14:21:03 -0800 

Hello List,

When I run this report against a Windows 2003 (sharepoint 2007 intranet)
server (that is using kerberos), it seems that failed logins just get
username of "SYSTEM":

# zcat logs/alerts/2010/Nov/ossec-alerts-30.log.gz |./bin/ossec-reportd -n
"Logins summary" -f group authentication_failures
2010/12/06 16:17:23 ossec-reportd: INFO: Started (pid: 9270).
2010/12/06 16:17:42 ossec-reportd: INFO: Report 'Logins summary' completed.
Creating output...

Report 'Logins summary' completed.
------------------------------------------------
->Processed alerts: 2729338
->Post-filtering alerts: 4144
->First alert: 2010 Nov 30 02:59:31
->Last alert: 2010 Nov 30 21:14:36


Top entries for 'Username':
------------------------------------------------
SYSTEM                                          |4144    |


Top entries for 'Level':
------------------------------------------------
Severity 10                                     |4144    |


Top entries for 'Group':
------------------------------------------------
authentication_failures                         |4144    |
windows                                         |4144    |


Top entries for 'Location':
------------------------------------------------
(myhost.org) 192.168.10.1->WinEvtLog  |4144    |


Top entries for 'Rule':
------------------------------------------------
18152 - Multiple Windows Logon Failures.        |4144    |
-----

I'm looking for this specific event by this user:

*WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY:
MYHOST: Logon Failure:        Reason:         Unknown user name or bad
password       User Name: rebeljohnny     Domain:         ORG    Logon Type:
3            Logon Process: NtLmSsp          Authentication Package:
NTLM
Workstation Name: REBELWS      Caller User Name: -     Caller Domain: -
Caller Logon ID: -      Caller Process ID: -     Transited Services: -
Source Network Address: 192.168.10.2           Source Port: 3420*

*-----*

*
*

It seems that if i run this same report with -f group authentication_success
I get usernames, "User" is populated properly in the alert file.  I also
notice that "Src IP" always comes back as "(none)" even though in the actual
logline "Source Network Address" is populated.


So it seems that decoder.xml needs to be updated?  I can definitely see the
power in that file, but I am not sure I can harness it (for the powers of
good even)!


TIA,


Andy

Reply via email to