Good Day,
I am getting a lot of these in my email notification. Can anyone shed light at to how to deal with these. I am working through someone else's install and still not understanding how to write the rules to process this type of message. Any help would be great. OSSEC HIDS Notification. 2015 Jun 05 10:00:13 Received From: (%ServerName%) %ServerIP%->WinEvtLog Rule: 40111 fired (level 10) -> "Multiple authentication failures." Portion of the log(s): 2015 Jun 05 10:00:17 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: %servername.domain.local%: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Shipping Account Domain: %workstation% Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: %workstation% Source Network Address: %workstationIP% Source Port: 65472 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. Thank you, Todd Clementz ACLens IT Department -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
