Good day all. It seems like I'm seeing a very odd issue with regard to Windows events coming through to the OSSEC management server. I've set this up before without any configuration changes & received all the events I wanted from the Windows end point (a Win7 machine), but this time around (a Win2k3 Server for testing) it seems to be failing as far as what data it returns into the main alerts.log file. Here's a sample of one of the events I get:
** Alert 1402320160.117595: mail - syslog,errors, 2014 Jun 09 09:22:40 (SERVER) 10.0.0.10->WinEvtLog Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 2014 Jun 09 09:22:40 WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: SERVER: Logon Failure: Reason: Unknown user name or bad password User Name: username Domain: DOMAIN Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: WORKSTATION Caller User Name: SERVER$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1364 Transited Services: - Source Network Address: 10.0.01 Source Port: 58985 This event is of course generated because my RDP client doesn't store the password for my session, hence triggering this alert because I must be prompted for my password to login. That said, I don't receive any others except events like this: ** Alert 1402320392.118323: mail - syslog,errors, 2014 Jun 09 09:26:32 (SERVER) 10.0.0.11->WinEvtLog Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' 2014 Jun 09 09:26:31 WinEvtLog: Security: AUDIT_SUCCESS(680): Security: Administrator: SERVER: SERVER: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Administrator Source Workstation: WORKSTATION Error Code: 0x0 After seeing such a sparse return on Windows login/logout etc. I started tweaking the decoders a bit to see if that would help, but I don't want to go too far down the rabbit hole at this point. Appreciate any guidance. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
