On Wed, Sep 7, 2011 at 4:19 AM, Waqas <waqas.bsqu...@gmail.com> wrote: > Yes. OSSEC id 7085 with the sid 18130 can be used to detect the failed > Windows logins. >
If OSSEC does the right thing, this seems like an OSSIM issue. It looks like there is some OSSIM/OSSEC dev work going on at the moment. > On Sep 5, 11:35 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> Is OSSEC detecting the failed logins correctly? >> >> >> >> >> >> >> >> On Thu, Aug 18, 2011 at 4:32 PM, Brenton, Steve <sbren...@asa.org> wrote: >> > Does anyone have OSSEC reporting into the opensource SIEM OSSIM? I am >> > having >> > troubles with some of the alerts generating false positives and was looking >> > for some advice on where to start. >> >> > One problem is when reporting on logon events OSSIM is reading the OSSEC >> > alerts as a success regardless of an access denied on the server or >> > successful login. >> >> > Thanks in advance for the help, >> >> > -Steve
