On Mon, Sep 8, 2014 at 6:18 PM, velvin <[email protected]> wrote: > Here is the logtest results with verbose switch on. This event is from > intentionally using bad password when trying to unlock a locked win7 host. > When I had rule 1002 enabled, it fired the rule and alerted so I'm grabbing > the output from that to feed in to the logtest. Since this alert generated > when rule 1002 was enabled, I know the agent/host is sending the logs over > and the log test suceeds to fire rule 18106 but it doesn't in real testing. >
What do you mean by "when rule 1002 was enabled?" > ========================== > > # bin/ossec-logtest -v > 2014/09/08 15:10:54 ossec-testrule: INFO: Reading local decoder file. > 2014/09/08 15:10:54 ossec-testrule: INFO: Started (pid: 9917). > ossec-testrule: Type one log per line. > > WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > HostName.OurDomain: An account failed to log on. Subject: Security ID: > S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID: > 0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID: > S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure > Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: > 0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process > Name: C:\Windows\System32\winlogon.exe Network Information: Workstation > Name: HostName Source Network Address: 127.0.0.1 Source Port: 0 Detailed > Authentication Information: Logon Process: User32 Authentication > Package: Negotiate Transited Services: - Package Name (NTLM only): - Key > Length: 0 This event is generated when a logon request fails. It is > generated on the computer where access was attempted. > > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > HostName.OurDomain: An account failed to log on. Subject: Security ID: > S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID: > 0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID: > S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure > Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: > 0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process > Name: C:\Windows\System32\winlogon.exe Network Information: Workstation > Name: HostName Source Network Address: 127.0.0.1 Source Port: 0 Detailed > Authentication Information: Logon Process: User32 Authentication > Package: Negotiate Transited Services: - Package Name (NTLM only): - Key > Length: 0 This event is generated when a logon request fails. It is > generated on the computer where access was attempted. ' > hostname: 'vmp-ossec' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > HostName.OurDomain: An account failed to log on. Subject: Security ID: > S-1-5-18 Account Name: HostName$ Account Domain: COHBRI Logon ID: > 0x3e7 Logon Type: 7 Account For Which Logon Failed: Security ID: > S-1-0-0 Account Name: UserName Account Domain: COHBRI Failure > Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: > 0xc000006a Process Information: Caller Process ID: 0x2a0 Caller Process > Name: C:\Windows\System32\winlogon.exe Network Information: Workstation > Name: HostName Source Network Address: 127.0.0.1 Source Port: 0 Detailed > Authentication Information: Logon Process: User32 Authentication > Package: Negotiate Transited Services: - Package Name (NTLM only): - Key > Length: 0 This event is generated when a logon request fails. It is > generated on the computer where access was attempted. ' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_FAILURE' > id: '4625' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'HostName.OurDomain' > > **Rule debugging: > Trying rule: 6 - Generic template for all windows rules. > *Rule 6 matched. > *Trying child rules. > Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > Trying rule: 18100 - Group of windows rules. > *Rule 18100 matched. > *Trying child rules. > Trying rule: 18101 - Windows informational event. > Trying rule: 18102 - Windows warning event. > Trying rule: 18104 - Windows audit success event. > Trying rule: 18103 - Windows error event. > Trying rule: 18105 - Windows audit failure event. > *Rule 18105 matched. > *Trying child rules. > Trying rule: 18120 - Windows login attempt (ignored). Duplicated. > Trying rule: 18153 - Multiple Windows audit failure events. > Trying rule: 18106 - Windows Logon Failure. > *Rule 18106 matched. > *Trying child rules. > Trying rule: 18152 - Multiple Windows Logon Failures. > Trying rule: 40111 - Multiple authentication failures. > Trying rule: 18134 - Logon Failure - User not allowed to login at this > computer. > Trying rule: 18138 - Logon Failure - Account locked out. > Trying rule: 18130 - Logon Failure - Unknown user or bad password. > Trying rule: 18131 - Logon Failure - Account logon time restriction > violation. > Trying rule: 18132 - Logon Failure - Account currently disabled. > Trying rule: 18133 - Logon Failure - Specified account expired. > Trying rule: 18135 - Logon Failure - User not granted logon type. > Trying rule: 18136 - Logon Failure - Account's password expired. > Trying rule: 18137 - Logon Failure - Internal error. > > **Phase 3: Completed filtering (rules). > Rule id: '18106' > Level: '5' > Description: 'Windows Logon Failure.' > **Alert to be generated. > > ================================ > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
