On Mon, Mar 17, 2014 at 12:00 PM, James Brown <[email protected]> wrote:
> I've been trying to use ossec-reportd by issuing the following command: cat
Which version of OSSEC?
> /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group
> authentication_success
>
> Unfortunately, the output is simply:
>
> 2014/03/17 09:53:34 ossec-reportd: INFO: Started (pid: 13402).
> 2014/03/17 09:53:40 ossec-reportd: INFO: Report completed and zero alerts
> post-filter.
>
> However, if I cat out the alerts.log file it looks like this:
>
I'm not sure where you got this alert from, but it is not in OSSEC's
alert format.
> AV - Alert - "1395036000" --> RID: "18107"; RL: "3"; RG:
> "windows,authentication_success,"; RC: "Windows Logon Success."; USER:
> "None"; SRCIP: "None"; HOSTNAME: "(**********) **.*.**.***->WinEvtLog";
> LOCATION: "(*********) **.*.**.***->WinEvtLog"; EVENT: "[INIT]WinEvtLog:
> Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: (no
> user): no domain: ******.***.local: An account was successfully logged on.
> Subject: Security ID: *-*-*-* Account Name: -
> Account Domain: - Logon ID: 0x0 Logon Type:
> 3 Impersonation Level: %1833 New Logon: Security ID:
> ********************** Account Name: ************* Account
> Domain: **** Logon ID: *********** Logon GUID:
> {00000000-0000-0000-0000-000000000000} Process Information:
> Process ID: 0x0 Process Name: - Network Information:
> Workstation Name: L2FS266 Source Network Address: 10.1.14.119
> Source Port: 57548 Detailed Authentication Information: Logon
> Process: NtLmSsp Authentication Package: NTLM Transited
> Services: - Package Name (NTLM only): NTLM V2 Key Length: 128
> This event is generated when a logon session is created. It is generated on
> the computer that was accessed. The subject fields indicate the account
> on the local system which requested the logon. This is most commonly a
> service such as the Server service, or a local process such as Winlogon.exe
> or Services.exe. The logon type field indicates the kind of logon that
> occurred. The most common types are 2 (interactive) and 3 (network). The
> New Logon fields indicate the account for whom the new logon was created,
> i.e. the account that was logged on.
>
> Note: I replaced any identifying information (domain, IP Address, etc) with
> *************.
>
> Clearly running reportd for authentication_success should catch this event
> correct or am I misunderstanding the filter? The filter I'm most interested
> in is File Integrity Monitoring in the end, but it would be nice to
> understand more about these filters and what I'm doing wrong.
>
> Any help is greatly appreciated, thank you for your time.
>
> Jimmy
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
