You can look up the codes here http://technet.microsoft.com/en-us/library/dd941635(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/dd941635%28v=ws.10%29.aspx https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625 ...you have a 2008 server or newer, and this link is for 2003, but the logon type values have not changed value 3 = network logon, failure reason 2313 is your key http://answers.microsoft.com/en-us/windows/forum/windows_vista-security/where-can-i-find-the-full-list-of-failure-reasons/d0269426-2183-4d99-8af0-cc009dee6658 https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx On Friday, June 5, 2015 at 1:11:12 PM UTC-4, Todd Clementz wrote: > > Good Day, > > > > I am getting a lot of these in my email notification. Can anyone shed > light at to how to deal with these. I am working through someone else’s > install and still not understanding how to write the rules to process this > type of message. Any help would be great. > > > > OSSEC HIDS Notification. > > 2015 Jun 05 10:00:13 > > > > Received From: (%ServerName%) %ServerIP%->WinEvtLog > > Rule: 40111 fired (level 10) -> "Multiple authentication failures." > > Portion of the log(s): > > > > 2015 Jun 05 10:00:17 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): no domain: > %servername.domain.local%: An account failed to log on. Subject: Security > ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon > Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account > Name: Shipping Account Domain: %workstation% Failure Information: > Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 > Process Information: Caller Process ID: 0x0 Caller Process Name: - > Network Information: Workstation Name: %workstation% Source Network > Address: %workstationIP% Source Port: 65472 Detailed Authentication > Information: Logon Process: NtLmSsp Authentication Package: NTLM > Transited Services: - Package Name (NTLM only): - Key Length: 0 This > event is generated when a logon request fails. It is generated on the > computer where access was attempted. > > > > > > Thank you, > > > > Todd Clementz > > ACLens > > IT Department > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
