On Thu, Nov 1, 2012 at 2:48 PM, Tom OBrion <[email protected]> wrote: > I am somewhat new to OSSEC so be nice, PLEASE! :) > > I am not quite understanding why a ID: 4720 would not hit my alert log based > on the below rules. As soon as I change rule id 18104's alert level to > something other than 0 she alerts. I was under the impression that the > if_sid statement is true it continues into the rule. So based on the > windows security event. the audit was a success and category is windows it > should have triggered based on these rules. Like I said as soon as I change > the 18104 rule to lets say level 4 she worked. Let me know if you need > additional information, but is there someplace else I need to look or maybe > I missing something? THANKS.. > > NOTE: A 4720 is user account was created and was a success. Keywords: > Audit Success > > > <rule id="18100" level="0"> > <category>windows</category> > <description>Group of windows rules.</description> > </rule> > > <rule id="18104" level="0"> > <if_sid>18100</if_sid> > <status>^AUDIT_SUCCESS|^success</status> > <description>Windows audit success event.</description> > </rule> > > <rule id="18110" level="8"> > <if_sid>18104</if_sid> > <id>^624|^626|^645|^4720|^4722|^4741</id> > <description>User account enabled or created.</description> > <group>adduser,account_changed,</group> > </rule> > > > -- > Tom O'Brion > Twitter: @tobrion > > "Life is too short to spend time with people who suck the happy out of you." >
Can you provide a log sample? And what worked? You got a 18110 alert?
