On Mon, Aug 17, 2015 at 10:12 AM, Farnsworth, Robert <[email protected]> wrote: > Hi, I am trying to filter out the following alert which comes because we > currently have an issue with our site scope (HOSTNAME) server, I would like > to filter it until the issue is resolved as it is causing my log rotation to > fail even though I appear to have plenty of disk space during normal daily > operation. I have tried to filter it out with the local rule below, but am > still seeing the alert slip through. I was trying to just filter the > hostname name out so I didn’t see this alert only for the site scope > (HOSTNAME) server. I don’t necessarily what to filter out all WinEvtLog: > Security: AUDIT_FAILURE(4776) alerts. > > > > 2015 Aug 17 09:38:46 WinEvtLog: Security: AUDIT_FAILURE(4776): > Microsoft-Windows-Security-Auditing: (no user): no domain: > windows_host.xx.xx.xx.com: The domain controller attempted to validate the > credentials for an account. Authentication Package: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: HOSTNAME$ Source > Workstation: HOSTNAME Error Code: 0xc0000064 > > > > <!-- 100055 Filter out HOSTNAME --> > > <rule id="100055" level="0"> > > <if_sid>18153</if_sid> >
Try <if_sid>18105</if_sid>. 18153 is a frequency rule, and for some reason I've had better luck filtering at the source alert instead of the frequency one. > <match> HOSTNAME </match> > > <description>Events ignored</description> > > </rule> > > > > > > Thanks > > > > Robert > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
