I have the folowing notification: *OSSEC HIDS Notification.* *2012 Jul 16 06:14:50
Received From: (srv-fl-bdc) 172.19.41.96->WinEvtLog Rule: 18110 fired (level 8) -> "User account enabled or created." Portion of the log(s): WinEvtLog: Security: AUDIT_SUCCESS(4741): Microsoft-Windows-Security-Auditing: (no user): no domain: SRV-FL-BDC.fast.local: A computer account was created. Subject: Security ID: S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account Domain: FAST Logon ID: 0x6bee32e New Computer Account: Security ID: S-1-5-21-3227760434-1372198118-1359596449-2167 Account Name: SRV-FL-TMG$ Account Domain: FAST Attributes: SAM Account Name: SRV-FL-TMG$ Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: 7/16/2012 2:09:37 PM Account Expires: %%1794 Primary Group ID: 515 AllowedToDelegateTo: - Old UAC Value: 0x0 New UAC Value: 0x80 User Account Control: %%2087 User Parameters: - SID History: - Logon Hours: %%1793 DNS Host Name: SRV-FL-TMG.fast.local Service Principal Names: HOST/SRV-FL-TMG.fast.local RestrictedKrbHost/SRV-FL-TMG.fastlane.local HOST/SRV-FL-TMG RestrictedKrbHost/SRV-FL-TMG Additional Information: Privileges -* You see the time of notification and the time of event are different. The time of receiving e-mail notification was *14:09* The time on ossec server is correct. So I wonder where ossec server got this wrong time?
