Have you checked the timezone of your OSSEC Server?
On 7/20/2012 7:51 AM, Dmitry wrote:
I have the folowing notification:
/OSSEC HIDS Notification./
/2012 Jul 16 *06:14:50*
Received From: (srv-fl-bdc) 172.19.41.96->WinEvtLog
Rule: 18110 fired (level 8) -> "User account enabled or created."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4741):
Microsoft-Windows-Security-Auditing: (no user): no domain:
SRV-FL-BDC.fast.local: A computer account was created. Subject:
Security ID: S-1-5-21-3227760434-1372198118-1359596449-1114 Account
Name: dg Account Domain: FAST Logon ID: 0x6bee32e New Computer
Account: Security ID: S-1-5-21-3227760434-1372198118-1359596449-2167
Account Name: SRV-FL-TMG$ Account Domain: FAST Attributes: SAM Account
Name: SRV-FL-TMG$ Display Name: - User Principal Name: - Home
Directory: - Home Drive: - Script Path: - Profile Path: - User
Workstations: - Password Last Set: 7/16/2012 *2:09:37 PM* Account
Expires: %%1794 Primary Group ID: 515 AllowedToDelegateTo: - Old UAC
Value: 0x0 New UAC Value: 0x80 User Account Control: %%2087 User
Parameters: - SID History: - Logon Hours: %%1793 DNS Host Name:
SRV-FL-TMG.fast.local Service Principal Names:
HOST/SRV-FL-TMG.fast.local RestrictedKrbHost/SRV-FL-TMG.fastlane.local
HOST/SRV-FL-TMG RestrictedKrbHost/SRV-FL-TMG Additional Information:
Privileges -/
You see the time of notification and the time of event are different.
The time of receiving e-mail notification was *14:09*
The time on ossec server is correct.
So I wonder where ossec server got this wrong time?
