On 2014-09-08 19:45, Jay Bittner wrote:
One problem I've noticed in the logs, which isn't very helpful, is
that some for the event 'Windows Logon Success' (Alert 1410221611),
often times it puts 'ANONYMOUS LOGON' or 'SYSTEM', instead of the
actual user account that logged in. But on other alerts, from some of
the other computers, it puts the actual person's login name ( ex.
[email protected] ). Our employees use emails to login to Windows.
The problem is that in these cases the user truly is 'ANONYMOUS' or
'SYSTEM.' If you look at the event in event viewer, you will see that
the user in the top part of the event (where the fields are delineated)
is the user you are seeing decoded (most likely). For instance, a failed
logon will often show up as SYSTEM because Windows wasn't able to truly
authenticate who it was, so it uses its own name.
To correct this requires a rewrite of the decoder to account for the
nuances where the expected username is further into the message. It's
not a simple task. Sometimes one even contains a source and destination
user, as is the case with account changes, so you have to decide which
one you care about. And each event ID from different versions of Windows
may be different.
Awhile back I started a log corpus and put a call out for help so we
could tackle this problem, but no one jumped in. I don't think this can
be truly fixed without a large sample of Windows logs and documentation
of the OSSEC log format, the latter of which I also offered to help with
but that offer was rejected.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
