On Mon, 6 Dec 2010 17:19:47 -0500, NetSyphon <[email protected]>
wrote:
Hello List,
When I run this report against a Windows 2003 (sharepoint 2007
intranet)
server (that is using kerberos), it seems that failed logins just get
username of "SYSTEM":
This is "correct" but not necessarily "right." Windows cannot determine
the real user name because it has not yet authentication the user, so it
uses the user "SYSTEM." OSSEC decodes the user as SYSTEM since that is
the user Windows is reporting. I think the decoder needs some work to
account for situations like this, and it is on my list, but I won't be
able to get to it soon.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
