This Event is usually caused by a stale hidden credential. Try this from the system giving the error:
>From a command prompt run: psexec -i -s -d cmd.exe >From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer. On Monday, November 3, 2014 at 4:37:34 PM UTC-5, Luke Goldman wrote: > > I am new to setting up Ossec but so far am liking it a lot. I am having > one issue that I am sure someone has resolved. The main thing I am working > right now is tracking failed windows logins. Most of this has worked right > out of the box which is awesome. The issue I am having is that the Windows > Event ID 4625 shows (no user) where every other Windows Event ID shows the > username. So Ossec reports the user as (no user). This causes issues when > I want to alert on 6 failed logins from the same user, as every user will > match this (no user). Has anyone got a solution for this? Below is a log > that will show what I am talking about. Thanks! > > 2014 Nov 03 12:05:34 WinEvtLog: Security: AUDIT_FAILURE(4625): > Microsoft-Windows-Security-Auditing: (no user): > 2014 Nov 03 13:15:27 WinEvtLog: Security: AUDIT_SUCCESS(4624): > Microsoft-Windows-Security-Auditing: Username: > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
