Aha! That makes sense; I'll bump it up. Thanks much!
On Saturday, August 31, 2013 10:33:43 PM UTC-4, dan (ddpbsd) wrote: > > > On Aug 31, 2013 10:32 PM, "Tim Boyer" <[email protected] <javascript:>> > wrote: > > > > ... and a few minutes searching through email gave me this from a 219KB > email message. Couple of hundred of the 'Audit policy changed' from one > server, followed by a web server error from another: > > > > My guess would be that you hit the max emails per hour limit and this is a > wrap up. > > > OSSEC HIDS Notification. > > 2013 Aug 31 14:56:13 > > > > Received From: (TABJUMP01) 192.168.17.142->WinEvtLog > > Rule: 18113 fired (level 8) -> "Windows Audit Policy changed." > > Portion of the log(s): > > > > WinEvtLog: Security: AUDIT_SUCCESS(4719): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > TABJUMP01.timboyer.org: System audit policy was changed. Subject: > Security ID: > > S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: > 0x3e7 > > Audit Policy Change: Category: %%8273 Subcategory: %%12549 > Subcategory > > GUID: {0CCE9219-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451 > > > > > > > > --END OF NOTIFICATION > > > > > > > > OSSEC HIDS Notification. > > 2013 Aug 31 14:56:13 > > > > Received From: (TABJUMP01) 192.168.17.142->WinEvtLog > > Rule: 18113 fired (level 8) -> "Windows Audit Policy changed." > > Portion of the log(s): > > > > WinEvtLog: Security: AUDIT_SUCCESS(4719): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > TABJUMP01.timboyer.org: System audit policy was changed. Subject: > Security ID: > > S-1-5-18 Account Name: TABJUMP01$ Account Domain: TAB Logon ID: > 0x3e7 > > Audit Policy Change: Category: %%8273 Subcategory: %%12550 > Subcategory > > GUID: {0CCE921A-69AE-11D9-BED3-505054503030} Changes: %%8449, %%8451 > > > > > > > > --END OF NOTIFICATION > > > > <1758 lines with the same error skipped> > > > > > > OSSEC HIDS Notification. > > 2013 Aug 31 14:56:36 > > > > Received From: (TABAPP01) > > 192.168.51.165->\WINDOWS\System32\LogFiles\W3SVC1\ex130831.log > > Rule: 31151 fired (level 10) -> "Multiple web server 400 error codes from > > same source ip." > > Portion of the log(s): > > > > 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET > > /web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1 > > > /Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > > /EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45 > > /http://TABtestlb.timboyer.org/web372/TAB > > /TABtestlb.timboyer.org 401 1 0 1988 525 0 > > 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET > > //web372/scripts/jquery-1.4.1.min.js - 80 - 192.168.17.145 HTTP/1.1 > > > //Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > > //EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45 > > //http://TABtestlb.timboyer.org/web372/TAB > > //TABtestlb.timboyer.org 401 2 2148074254 1872 442 78 > > 2013-08-31 18:56:25 W3SVC1 TABAPP01 192.168.51.165 GET > > /web372/themes/main.css - 80 - 192.168.17.145 HTTP/1.1 > > > /Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) > > /EDACookie4.0=TAB;+ASP.NET_SessionId=4j2qcw45wjf4ehqfcymzlb45 > > /http://TABtestlb.timboyer.org/web372/TAB > > > > > > > > On Saturday, August 31, 2013 12:47:34 PM UTC-4, Tim Boyer wrote: > >> > >> Running 2.6.15 on a RHEL5 server, and the do_not_group is not working > the way I expect. I assume that that is a problem with my expectations, > but just in case... > >> > >> ossec.conf looks like so: > >> > >> <email_alerts> > >> <email_to>WINDOWS</email_to> > >> <level>5</level> > >> > <event_location>192.168.42|192.168.43|192.168.44|192.168.45|192.168.46|192.168.52|192.168.53|192.168.21|192.168.19|192.168.17|192.168.17|192.168.18.40|172.25.17.40|</event_location> > >> <do_not_group /> > >> </email_alerts> > >> > >> but 'Multiple Windows error events' continues to group messages, like > so: > >> > >> Received From: (REMOTEDEV03) 192.168.53.52->WinEvtLog > >> Rule: 18154 fired (level 10) -> "Multiple Windows error events." > >> Portion of the log(s): > >> > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: REMOTEDEV03.dev.timboyer.org: The WinHTTP Web Proxy > Auto-Discovery Service service depends on the DHCP Client service which > failed to start because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery > Service service depends on the DHCP Client service which failed to start > because of the following error: %%1058 > >> WinEvtLog: System: ERROR(7001): Service Control Manager: (no user): no > domain: LOCALCON01.timboyer.org: The WinHTTP Web Proxy Auto-Discovery > Service service depends on the DHCP Client service which failed to start > because of the following error: %%1058 > >> WinEvtLog: System: ERROR(1055): Microsoft-Windows-GroupPolicy: SYSTEM: > NT AUTHORITY: REMOTECON01.timboyer.org: The processing of Group Policy > failed. Windows could not resolve the computer name. This could be caused > by one of more of the following: a) Name Resolution failure on the > current domain controller. b) Active Directory Replication Latency (an > account created on another domain controller has not replicated to the > current domain controller). > >> > >> > >> > >> I believe this is only happening with the 'Multiple Windows' alert. Is > this a limitation in do_not_group, or is there something I'm doing wrong? > >> > >> Thanks, > >> > >> Tim > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
