On Fri, Jul 20, 2012 at 8:12 AM, Dmitry <[email protected]> wrote: > I have this alert: > OSSEC HIDS Notification. > 2012 Jul 16 06:14:50 > > Received From: (srv-fl-bdc) 172.19.41.96->WinEvtLog > Rule: 18110 fired (level 8) -> "User account enabled or created." > Portion of the log(s): > > WinEvtLog: Security: AUDIT_SUCCESS(4741): > Microsoft-Windows-Security-Auditing: (no user): no domain: SRV-FL-BDC: A > computer account was created. Subject: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-1114 Account Name: dg Account > Domain: FAST Logon ID: 0x6bee32e New Computer Account: Security ID: > S-1-5-21-3227760434-1372198118-1359596449-2167 Account Name: SRV-FL-TMG$ > Account Domain: FAST Attributes: SAM Account Name: SRV-FL-TMG$ Display Name: > - User Principal Name: - Home Directory: - Home Drive: - Script Path: - > Profile Path: - User Workstations: - Password Last Set: 7/16/2012 2:09:37 PM > Account Expires: %%1794 Primary Group ID: 515 AllowedToDelegateTo: - Old UAC > Value: 0x0 New UAC Value: 0x80 User Account Control: %%2087 User Parameters: > - SID History: - Logon Hours: %%1793 DNS Host Name: > SRV-FL-TMG.fastlane.local Service Principal Names: HOST/SRV-FL-TMG > RestrictedKrbHost/SRV-FL-TMG HOST/SRV-FL-TMG RestrictedKrbHost/SRV-FL-TMG > Additional Information: Privileges - > > As you see the time of event and the time of notification are deferent. > The time of receiving e-mail notification is 16.07.2012 14:09 > The time on the ossec server is also correct. > > I wonder why and where ossec get this wrong time? >
What are the timezones at work here? If you don't know which timezone file that exists at /var/ossec/etc/localtime, you can either check the md5 against the tz files in (possibly) /usr/share/zoneinfo, or you can run strings against it and look for a line like the following: EST5EDT,M3.2.0,M11.1.0
