I am somewhat new to OSSEC so be nice, PLEASE! :)
I am not quite understanding why a ID: 4720 would not hit my alert log
based on the below rules. As soon as I change rule id 18104's alert level
to something other than 0 she alerts. I was under the impression that the
if_sid statement is true it continues into the rule. So based on the
windows security event. the audit was a success and category is windows it
should have triggered based on these rules. Like I said as soon as I
change the 18104 rule to lets say level 4 she worked. Let me know if you
need additional information, but is there someplace else I need to look or
maybe I missing something? THANKS..
NOTE: A 4720 is user account was created and was a success. Keywords:
Audit Success
<rule id="18100" level="0">
<category>windows</category>
<description>Group of windows rules.</description>
</rule>
<rule id="18104" level="0">
<if_sid>18100</if_sid>
<status>^AUDIT_SUCCESS|^success</status>
<description>Windows audit success event.</description>
</rule>
<rule id="18110" level="8">
<if_sid>18104</if_sid>
<id>^624|^626|^645|^4720|^4722|^4741</id>
<description>User account enabled or created.</description>
<group>adduser,account_changed,</group>
</rule>
--
Tom O'Brion
Twitter: @tobrion
"Life is too short to spend time with people who suck the happy out of you."
