On Aug 31, 2013 10:32 PM, "Tim Boyer" <[email protected]> wrote:
>
> ... and a few minutes searching through email gave me this from a 219KB
email message. Couple of hundred of the 'Audit policy changed' from one
server, followed by a web server error from another:
>
My guess would be that you hit the max emails per hour limit and this is a
wrap up.
> OSSEC HIDS Notification.
> 2013 Aug 31 14:56:13
>
> Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
> Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
> Portion of the log(s):
>
> WinEvtLog: Security: AUDIT_SUCCESS(4719):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> TABJUMP01.timboyer.org: System audit policy was changed. Subject:
Security ID:
> S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID:
0x3e7
> Audit Policy Change: Category: %%8273 Subcategory: %%12549
Subcategory
> GUID: {0CCE9219-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2013 Aug 31 14:56:13
>
> Received From: (TABJUMP01) 192.168.17.142->WinEvtLog
> Rule: 18113 fired (level 8) -> "Windows Audit Policy changed."
> Portion of the log(s):
>
> WinEvtLog: Security: AUDIT_SUCCESS(4719):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> TABJUMP01.timboyer.org: System audit policy was changed. Subject:
Security ID:
> S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID:
0x3e7
> Audit Policy Change: Category: %%8273 Subcategory: %%12550
Subcategory
> GUID: {0CCE921A-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451
>
>
>
> --END OF NOTIFICATION
>
> <1758 lines with the same error skipped>
>
>
> OSSEC HIDS Notification.
> 2013 Aug 31 14:56:36
>
> Received From: (TABAPP01)
> 192.168.51.165->\WINDOWS\System32\LogFiles\W3SVC1\ex130831.log
> Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from
> same source ip."
> Portion of the log(s):
>
> 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
> /web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
>
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> /EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
> /http://TABtestlb.timboyer.org/web372/TAB
> /TABtestlb.timboyer.org 401 1 0 1988 525 0
> 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
> //web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1
>
//Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> //EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
> //http://TABtestlb.timboyer.org/web372/TAB
> //TABtestlb.timboyer.org 401 2 2148074254 1872 442 78
> 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET
> /web372/themes/main.css - 80 - 192.168.17.145 HTTP/1.1
>
/Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727)
> /EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45
> /http://TABtestlb.timboyer.org/web372/TAB
>
>
>
> On Saturday, August 31, 2013 12:47:34 PM UTC-4, Tim Boyer wrote:
>>
>> Running 2.6.15 on a RHEL5 server, and the do_not_group is not working
the way I expect. I assume that that is a problem with my expectations,
but just in case...
>>
>> ossec.conf looks like so:
>>
>> <email_alerts>
>> <email_to>WINDOWS</email_to>
>> <level>5</level>
>>
<event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location>
>> <do_not_group />
>> </email_alerts>
>>
>> but 'Multiple Windows error events' continues to group messages, like so:
>>
>> Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog
>> Rule: 18154 fired (level 10) -> "Multiple Windows error events."
>> Portion of the log(s):
>>
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no
domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery
Service service depends on the DHCP Client service which failed to start
because of the following error: %%1058
>> WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM:
NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy
failed. Windows could not resolve the computer name. This could be caused
by one of more of the following: a) Name Resolution failure on the
current domain controller. b) Active Directory Replication Latency (an
account created on another domain controller has not replicated to the
current domain controller).
>>
>>
>>
>> I believe this is only happening with the 'Multiple Windows' alert. Is
this a limitation in do_not_group, or is there something I'm doing wrong?
>>
>> Thanks,
>>
>> Tim
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
