... and a few minutes searching through email gave me this from a 219KB
email message. Couple of hundred of the 'Audit policy changed' from one
server, followed by a web server error from another:
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security
ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12549 Subcategory
GUID: {0CCE9219-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Aug 31 14:56:13
Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
Portion of the log(s):
WinEvtLog: Security: AUDIT_SUCCESS(4719):
Microsoft-Windows-Security-Auditing: (no user): no domain:
TABJUMP01.timboyer.org: System audit policy was changed. Subject: Security
ID:
S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: 0x3e7
Audit Policy Change: Category: %%8273 Subcategory: %%12550 Subcategory
GUID: {0CCE921A-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
--END OF NOTIFICATION
<1758 lines with the same error skipped>
OSSEC HIDS Notification.
2013 Aug 31 14:56:36
Received From: (TABAPP01)
192.168.51.165->\WINDOWS\System32\LogFiles\W3SVC1\ex130831.log
Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from
same source ip."
Portion of the log(s):
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
/TABtestlb.timboyer.org 401 1 0 1988 525 0
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
//web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
//Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
//EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
//http://TABtestlb.timboyer.org/web372/TAB
//TABtestlb.timboyer.org 401 2 2148074254 1872 442 78
2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
/web372/themes/main.css - 80 - 192.168.17.145 HTTP/1.1
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
/EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
/http://TABtestlb.timboyer.org/web372/TAB
On Saturday, August 31, 2013 12:47:34 PM UTC-4, Tim Boyer wrote:
>
> Running 2.6.15 on a RHEL5 server, and the do_not_group is not working the
> way I expect. I assume that that is a problem with my expectations, but
> just in case...
>
> ossec.conf looks like so:
>
> <email_alerts>
> <email_to>WINDOWS</email_to>
> <level>5</level>
>
> <event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location>
> <do_not_group />
> </email_alerts>
>
> but 'Multiple Windows error events' continues to group messages, like so:
>
> Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog
> Rule: 18154 fired (level 10) -> "Multiple Windows error events."
> Portion of the log(s):
>
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy
> Auto-Discovery Service service depends on the DHCP Client service which
> failed to start because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy
> Auto-Discovery Service service depends on the DHCP Client service which
> failed to start because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy
> Auto-Discovery Service service depends on the DHCP Client service which
> failed to start because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy
> Auto-Discovery Service service depends on the DHCP Client service which
> failed to start because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy
> Auto-Discovery Service service depends on the DHCP Client service which
> failed to start because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
> Service service depends on the DHCP Client service which failed to start
> because of the following error: %%1058
> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
> domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
> Service service depends on the DHCP Client service which failed to start
> because of the following error: %%1058
> WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: NT
> AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy
> failed. Windows could not resolve the computer name. This could be caused
> by one of more of the following: a) Name Resolution failure on the
> current domain controller. b) Active Directory Replication Latency (an
> account created on another domain controller has not replicated to the
> current domain controller).
>
>
>
> I believe this is only happening with the 'Multiple Windows' alert. Is
> this a limitation in do_not_group, or is there something I'm doing wrong?
>
> Thanks,
>
> Tim
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
