Hi I would like to recieve alerts when someone change the time on a windows servers. I can see that logs are being sent to the OSSEC server but it not alert me.
2015 Oct 09 11:02:08 (Bookadmin-sry) 192.168.161.149->WinEvtLog 2015 Oct 09 00:02:05 WinEvtLog: Security: AUDIT_SUCCESS(4616): Microsoft-Windows-Security-Auditing: (no user): no domain: bookadmin-sry: The system time was changed. Subject: Security ID: S-1-5-21-4177568406-2897204066-3252460601-500 Account Name: Administrator Account Domain: BOOKADMIN-SRY Logon ID: 0x3bb6d17 Process Information: Process ID: (null) Name: Previous Time: 2015-10-09T07:02:06.000000000Z 2015-10-09T18:02:07.279218900Z New Time: C:\Windows\System32\rundll32.exe 0x2954 This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer. In the windows eventlog it show us as event id 1. -- Moe Hans -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
