Some pre-auth logs don't have enough data when generated to have this data. I don't know if this that type of messages. Anyway you could locate the original event and export it so that we can review? I think you can export it as XML on 2008/2012
> On May 22, 2014, at 6:22 AM, "AMMS" <[email protected]> wrote: > > Hi All, > > > I activate the option logall in ossec 2.7.1 to see things happening. > > > I am curious too understand why this particular situations happens, in some > logs in windows 2008 I get the following from the ossec agent in archives.log: > > 2014 May 22 10:46:33 (machinename) xxx.xxx.xx.xx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: > usernaname: domainname: machinename: An account was successfully logged on. > etc etc etc etc ... > > > In other logs, I get: > > 2014 May 22 11:13:44 (machinename) xxx.xxx.xx.xxx->WinEvtLog WinEvtLog: > Security: AUDIT_SUCCESS(4793): Microsoft-Windows-Security-Auditing: (no > user): no domain: machinename: The Password Policy Checking API was called. > etc etc etc etc .... > > I do not understand why some logs we get (no user) and other get the user > name populated correctly, this is important because some rules in ossec > capture this field. > > Is this some kind off field that is parsed from windows event viewer if yes, > what is the field. > > Thanks in advance > > Regards > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
