On 05/22/2014 05:19 AM, AMMS wrote: > Hi All, > I activate the option logall in ossec 2.7.1 to see things happening. > I am curious too understand why this particular situations happens, in > some logs in windows 2008 I get the following from the ossec agent in > archives.log: > 2014 May 22 10:46:33 (machinename) xxx.xxx.xx.xx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: > *usernaname: domainname: machinename:* An account was successfully > logged on. etc etc etc etc ... > In other logs, I get: > 2014 May 22 11:13:44 (machinename) xxx.xxx.xx.xxx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4793): Microsoft-Windows-Security-Auditing: *(no > user): no domain:* machinename: The Password Policy Checking API was > called. etc etc etc etc ....
I have also noticed this. It looks like a bug to me. Hi Michael This is really strange and is affect my rules because ( login and logoffs ) capture that field. For this type of messages in event viewer in windows 2008 all work fine, but for windows 2012, that fiel is not passed. Really strange, anyone can point in the right direction !?? Or have some clarifications to pull out ? Regards Quinta-feira, 22 de Maio de 2014 11:19:57 UTC+1, AMMS escreveu: > Hi All, > > > I activate the option logall in ossec 2.7.1 to see things happening. > > > I am curious too understand why this particular situations happens, in > some logs in windows 2008 I get the following from the ossec agent in > archives.log: > > 2014 May 22 10:46:33 (machinename) xxx.xxx.xx.xx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: > *usernaname: > domainname: machinename:* An account was successfully logged on. etc etc > etc etc ... > > > In other logs, I get: > > 2014 May 22 11:13:44 (machinename) xxx.xxx.xx.xxx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4793): Microsoft-Windows-Security-Auditing: *(no > user): no domain:* machinename: The Password Policy Checking API was > called. etc etc etc etc .... > > I do not understand why some logs we get (no user) and other get the user > name populated correctly, this is important because some rules in > ossec capture this field. > > Is this some kind off field that is parsed from windows event viewer if > yes, what is the field. > > Thanks in advance > > Regards > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
