Here is the logtest results with verbose switch on. This event is from
intentionally using bad password when trying to unlock a locked win7 host.
When I had rule 1002 enabled, it fired the rule and alerted so I'm grabbing
the output from that to feed in to the logtest. Since this alert generated
when rule 1002 was enabled, I know the agent/host is sending the logs over
and the log test suceeds to fire rule 18106 but it doesn't in real testing.
==========================
# bin/ossec-logtest -v
2014/09/08 15:10:54 ossec-testrule: INFO: Reading local decoder file.
2014/09/08 15:10:54 ossec-testrule: INFO: Started (pid: 9917).
ossec-testrule: Type one log per line.
WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
HostName.OurDomain: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID:
0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID:
S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure
Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status:
0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process
Name: C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: HostName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was attempted.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
HostName.OurDomain: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID:
0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID:
S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure
Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status:
0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process
Name: C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: HostName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was attempted. '
hostname: 'vmp-ossec'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_FAILURE(4625):
Microsoft-Windows-Security-Auditing: (no user): no domain:
HostName.OurDomain: An account failed to log on. Subject: Security ID:
S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID:
0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID:
S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure
Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status:
0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process
Name: C:\Windows\System32\winlogon.exe Network Information: Workstation
Name: HostName Source Network Address: 127.0.0.1 Source Port: 0
Detailed Authentication Information: Logon Process: User32
Authentication Package: Negotiate Transited Services: - Package Name
(NTLM only): - Key Length: 0 This event is generated when a logon
request fails. It is generated on the computer where access was attempted. '
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_FAILURE'
id: '4625'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: '(no user)'
system_name: 'HostName.OurDomain'
**Rule debugging:
Trying rule: 6 - Generic template for all windows rules.
*Rule 6 matched.
*Trying child rules.
Trying rule: 7301 - Grouping of Symantec AV rules from eventlog.
Trying rule: 18100 - Group of windows rules.
*Rule 18100 matched.
*Trying child rules.
Trying rule: 18101 - Windows informational event.
Trying rule: 18102 - Windows warning event.
Trying rule: 18104 - Windows audit success event.
Trying rule: 18103 - Windows error event.
Trying rule: 18105 - Windows audit failure event.
*Rule 18105 matched.
*Trying child rules.
Trying rule: 18120 - Windows login attempt (ignored). Duplicated.
Trying rule: 18153 - Multiple Windows audit failure events.
Trying rule: 18106 - Windows Logon Failure.
*Rule 18106 matched.
*Trying child rules.
Trying rule: 18152 - Multiple Windows Logon Failures.
Trying rule: 40111 - Multiple authentication failures.
Trying rule: 18134 - Logon Failure - User not allowed to login at this
computer.
Trying rule: 18138 - Logon Failure - Account locked out.
Trying rule: 18130 - Logon Failure - Unknown user or bad password.
Trying rule: 18131 - Logon Failure - Account logon time restriction
violation.
Trying rule: 18132 - Logon Failure - Account currently disabled.
Trying rule: 18133 - Logon Failure - Specified account expired.
Trying rule: 18135 - Logon Failure - User not granted logon type.
Trying rule: 18136 - Logon Failure - Account's password expired.
Trying rule: 18137 - Logon Failure - Internal error.
**Phase 3: Completed filtering (rules).
Rule id: '18106'
Level: '5'
Description: 'Windows Logon Failure.'
**Alert to be generated.
================================
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
