Hi All, I activate the option logall in ossec 2.7.1 to see things happening. I am curious too understand why this particular situations happens, in some logs in windows 2008 I get the following from the ossec agent in archives.log: 2014 May 22 10:46:33 (machinename) xxx.xxx.xx.xx->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: *usernaname: domainname: machinename:* An account was successfully logged on. etc etc etc etc ... In other logs, I get: 2014 May 22 11:13:44 (machinename) xxx.xxx.xx.xxx->WinEvtLog WinEvtLog: Security: AUDIT_SUCCESS(4793): Microsoft-Windows-Security-Auditing: *(no user): no domain:* machinename: The Password Policy Checking API was called. etc etc etc etc .... I do not understand why some logs we get (no user) and other get the user name populated correctly, this is important because some rules in ossec capture this field. Is this some kind off field that is parsed from windows event viewer if yes, what is the field. Thanks in advance Regards
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
