Hello there, I need a right direction to audit alerts.log I need know accuralety which hours an user login and loggout in Active Directory Domain. I've Windows 2008 and 2003 ( primary and secundary, respectively ) Ossec agents is installed on both servers
* Alert 1354354465.98266105: - windows,authentication_success, 2012 Dec 01 07:34:25 (AD_PRIMARy) 10.15.1.221->WinEvtLog Rule: 18107 (level 3) -> 'Windows Logon Success.' User: [email protected] WinEvtLog: Security: AUDIT_SUCCESS(4769): Microsoft-Windows-Security-Auditing: [email protected]: DOMAIN.COM: AD_PRIMARY.DOMAIN.COM: A Kerberos service ticket was requested. Account Information: Account Name: [email protected] Account Domain: DOMAIN.COM Logon GUID: {68BDA460-CABF-74CC-B467-FCCB9A6771CB} Service Information: Service Name: FILESHARE$ Service ID: S-1-5-21-924963825-40351264-2638664145-4527 Network Information: Client Address: ::ffff:1.1.1.1 Client Port: 1182 Additional Information: Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 Failure Code: 0x0 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. I will need filter events, my doubt is: Can I have false positives. Which is the better way to identify logins and logouts of user accurately.. Regards, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
