On Tue, Jun 17, 2014 at 9:18 AM, Robert Littlefield <[email protected]> wrote: > Hello, all. Can you please assist me with a way to exclude a user account > from the following? Meaning, if user matches "automatedAccount" do not > return log information. > > > > <group name=""> > > <rule id="900000" level="10"> > > <if_sid>18104</if_sid> > > <id>^4688</id> > > <regex>Token Elevation Type: %%1937</regex> > > <description>Escalated privileges were > exercised</description> > > <group>escalated privileges,</group> > > </rule> > > > > <rule id="900001" level="9"> > > <if_group>authentication_success</if_group> > > <time>7 pm - 5 am</time> > > <description>Successful login during > non-business hours</description> > > <group>login_time,</group> > > </rule> > > > > <rule id="900002" level="9"> > > <if_group>authentication_success</if_group> > > <weekday>weekends</weekday> > > <description>Successful login during > weekend</description> > > <group>login_day,</group> > > </rule> > > > > <rule id="900003" level="9"> > > <if_sid>18105</if_sid> > > <id>^4656</id> > > <description>Filesystem Access/Change > Attempt Failure</description> > > <group>filesystem_failure,</group> > > </rule> > > > > <rule id="900004" level="0"> > > <if_sid>900003</if_sid> > > <regex>Object\s+Name:\s+\\REGISTRY</regex> > > <description>Filesystem Access/Change > Attempt Failure - Registry</description> > > </rule> > > > > <rule id="900005" level="0"> > > <if_sid>900003</if_sid> > > <regex>Process > Name:\s+C:\\Windows\\servicing\\TrustedInstaller.exe</regex> > > <description>Filesystem Access/Change > Attempt Failure - Trusted Installer</description> > > </rule> > > </group> > > > > <group name="policy_violation,"> > > <rule id="17101" level="9"> > > <time>7 pm - 5 am</time> > > <description>Successful login during non-business > hours</description> > > <group>login_time,</group> > > </rule> > > </group> >
Log sample? What are the applicable decoders? Have you tried ossec-logtest? > > > Thank you > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
