I've been trying to use ossec-reportd by issuing the following command: cat
/var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group
authentication_success
Unfortunately, the output is simply:
2014/03/17 09:53:34 ossec-reportd: INFO: Started (pid: 13402).
2014/03/17 09:53:40 ossec-reportd: INFO: Report completed and zero alerts
post-filter.
However, if I cat out the alerts.log file it looks like this:
AV - Alert - "1395036000" --> RID: "18107"; RL: "3"; RG:
"windows,authentication_success,"; RC: "Windows Logon Success."; USER:
"None"; SRCIP: "None"; HOSTNAME: "(**********) **.*.**.***->WinEvtLog";
LOCATION: "(*********) **.*.**.***->WinEvtLog"; EVENT: "[INIT]WinEvtLog:
Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: (no
user): no domain: ******.***.local: An account was successfully logged on.
Subject: Security ID: *-*-*-* Account Name: -
Account Domain: - Logon ID: 0x0 Logon Type:
3 Impersonation Level: %1833 New Logon: Security ID:
********************** Account Name: *************
Account Domain: **** Logon ID: *********** Logon
GUID: {00000000-0000-0000-0000-000000000000} Process Information:
Process ID: 0x0 Process Name: - Network Information:
Workstation Name: L2FS266 Source Network Address: 10.1.14.119
Source Port: 57548 Detailed Authentication Information: Logon
Process: NtLmSsp Authentication Package: NTLM Transited
Services: - Package Name (NTLM only): NTLM V2 Key Length: 128
This event is generated when a logon session is created. It is generated
on the computer that was accessed. The subject fields indicate the
account on the local system which requested the logon. This is most
commonly a service such as the Server service, or a local process such as
Winlogon.exe or Services.exe. The logon type field indicates the kind of
logon that occurred. The most common types are 2 (interactive) and 3
(network). The New Logon fields indicate the account for whom the new
logon was created, i.e. the account that was logged on.
*Note*: I replaced any identifying information (domain, IP Address, etc)
with *************.
Clearly running reportd for authentication_success should catch this event
correct or am I misunderstanding the filter? The filter I'm most interested
in is File Integrity Monitoring in the end, but it would be nice to
understand more about these filters and what I'm doing wrong.
Any help is greatly appreciated, thank you for your time.
Jimmy
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
