Hello,
I'm having issues with windows failed logins being grouped based on the
location. Below is the rule in question.
<rule id="18152" level="9" frequency="$MS_FREQ" timeframe="240">
<if_matched_group>win_authentication_failed</if_matched_group>
<same_location />
<description>Multiple Windows Logon Failures.</description>
<group>authentication_failures,</group>
</rule>
With the rule above, I want only alerts being grouped together if they are
destined for the same machine. Since there is not an option for
same_system_name, and I see in the OSSEC GUI that it is parsing out
location correctly, I thought it would work but it's not. Below is what see
in the web interface. As you can see, it's tripping rule 18153 but it's
doing it for multiple servers and not just one. How do I get it where it
will only show multiple failed logins just from 1 server at a time?
Level:9 - Multiple Windows audit failure events.
Rule Id:18153
Location:aaaserver1.test.com->/logs/Windows/2014-03-06.log
User:test-account
Mar 6 14:55:45 aaaserver1.test.com ............
Mar 6 14:55:43 aaaserver1.test.com ............
Mar 6 14:55:37 cccserver3.test.com ............
Mar 6 14:55:30 aaaserver1.test.com ............
Mar 6 14:55:30 aaaserver1.test.com ............
Mar 6 14:55:30 bbbserver2.test.com ............
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
