Hello list,
I am working on some integration of OSSEC into our systems. Situation
is following:
Our agents are almost all "dynamic", so I a have agents with, for
example, ID=030, agent-name: test_wks230, ip=0.0.0.0/0
This basically works well, because ID of the secured communication
between OSSEC remoted and remote agent is sent unencrypted, so the
remoted knows agent name, even if there are many of them behind single
IP.
What I need is to know which ip is agent behind. In the logs, there is
no such information. I would like to see in the log, for example:
** Alert 1337151768.43281: - windows,authentication_success,
2012 May 16 09:02:48 (test_wks230) 0.0.0.0->WinEvtLog
Rule: 18107 (level 3) -> 'Windows Logon Success.'
User: user
IncomingIP: 123.123.123.123
<<<<<<<<<<<<<<<<<<<-----------------------
WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-
Auditing: user: wks_230: wks_230: An account was successfully logged
on. Subject: Security ID: S-1-5-18 Account Name: WKS_230$ Account
Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 7 New Logon:
Security ID: S-1-5-21-3830819501-1208969821-1794380766-1001 Account
Name: user Account Domain: wks_230 Logon ID: 0x4e5625e Logon
GUID: {00000000-0000-0000-0000-000000000000} Process Information:
Process ID: 0x318 Process Name: C:\Windows\System32\winlogon.exe
Network Information: Workstation Name: WKS_230 Source Network
Address: 127.0.0.1 Source Port: 0 Detailed Authentication
Information: Logon Process: User32 Authentication Package:
Negotiate Transited Services: - Package Name (NTLM only): - Key
Length: 0 This event is generated when a logon session is created.
It is generated on the computer that was accessed.
Is there some already existing solution for that, or is this nonsense?
Thanks!
Regards,
Ales
