We are working to refine the use of OSSEC for our monitoring of
security events on our systems and noticed something in the OSSEC
alerting that I have questions about. In the security event log of
the server, the information is displayed as follows (where xxxxxxxxx
\yyyyyy is to domain\userid of the user):
Security Enabled Local Group Member Removed:
Member Name: -
Member ID: xxxxxxxxx\yyyyyy
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: BUILTIN\Administrators
Caller User Name: DDSWxxxxx$
Caller Domain: MxxxxxxxxN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
OSSEC displays that same event as:
Security Enabled Local Group Member Removed
Member Name: -
Member ID: %{S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-
xxxxxxxxxx-1122}
Target Account Name: Administrators
Target Domain: Builtin
Target Account ID: %{S-1-5-xx-xxx}
Caller User Name: DDSWxxxxx$
Caller Domain: MxxxxxxxxN
Caller Logon ID: (0x0,0x3E7)
Privileges: -
Can we get OSSEC to display the "Member ID: xxxxxxxxx\yyyyyy" instead
of "Member ID: %{S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1122}"?
Not having the domain\userid quickly visible to us delays our response
to security incidents.
Thanks in advance.