Hi Moe,
Edit your /var/ossec/rules/local_rules.xml and add this..
<rule id="18140" level="7" overwrite="yes">
<if_sid>18104</if_sid>
<id>^520$|^4616$</id>
<description>System time changed.</description>
<group>time_changed,</group>
</rule>
That should do the trick so long as alert level 7 meets the alert level
threshold set in your ossec.conf
On Friday, October 9, 2015 at 11:15:41 AM UTC-7, moe hans wrote:
>
> Hi I would like to recieve alerts when someone change the time on a
> windows servers. I can see that logs are being sent to the OSSEC server but
> it not alert me.
>
> 2015 Oct 09 11:02:08 (Bookadmin-sry) 192.168.161.149->WinEvtLog 2015 Oct
> 09 00:02:05 WinEvtLog: Security: AUDIT_SUCCESS(4616):
> Microsoft-Windows-Security-Auditing: (no user): no domain: bookadmin-sry:
> The system time was changed. Subject: Security ID:
> S-1-5-21-4177568406-2897204066-3252460601-500 Account Name:
> Administrator Account Domain: BOOKADMIN-SRY Logon ID: 0x3bb6d17
> Process Information: Process ID: (null) Name: Previous Time:
> 2015-10-09T07:02:06.000000000Z 2015-10-09T18:02:07.279218900Z New Time:
> C:\Windows\System32\rundll32.exe 0x2954 This event is generated when the
> system time is changed. It is normal for the Windows Time Service, which
> runs with System privilege, to change the system time on a regular basis.
> Other system time changes may be indicative of attempts to tamper with the
> computer.
>
>
> In the windows eventlog it show us as event id 1.
>
> --
> Moe Hans
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
