I have a decoder that grabs the appropriate Account Name, but have come
across another issue. Even if I am able to properly decoder "user", my
ossec alert.log does not correlate that to "user" unless it's in the
expected location in the WinEvtLog header.
Raw Log
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing: *(no user)*: no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
*my_account* Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account
Account Domain: MYDOMAIN
Decoder:
<decoder name="windows-verbose-auth">
<parent>windows</parent>
<regex offset="after_parent">Security ID:\s*\S*\s*Account
Name:\s*(\S\S+)\s+Account Domain:\s*(\S*)</regex>
<order>user, extra_data</order>
</decoder>
ossec-logtest output:
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4725'
extra_data: 'Microsoft-Windows-Security-Auditing'
system_name: 'myhost.mydomain.com'
*dstuser: 'my_account'*
Alert.log
** Alert **
time: 1448030023
hostname: (agent26) 0.0.0.0->WinEvtLog
location: (agent26) 0.0.0.0->WinEvtLog
rule_id: 18112
rule_rev: 1
rule_name: User account disabled or deleted.
rule_level: 8
lrec_object_tag: user
lrec_action_tag: authentication delete
lrec_status_tag: success
lrec_action: review
event_id: 4725
status: AUDIT_SUCCESS
data: Microsoft-Windows-Security-Auditing
systemname: myhost.mydomain.com
raw_log:
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing: (no user): no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account
Account Domain: MYDOMAIN
As you can see, "user" in the alert.log doesn't populate. If I modify the
log message and manually ingest it into OSSEC, it works.
New Raw Log:
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing: *my_account*: no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account
Account Domain: MYDOMAIN
New Alert.log
** Alert **
time: 1448030023
hostname: (agent26) 0.0.0.0->WinEvtLog
location: (agent26) 0.0.0.0->WinEvtLog
rule_id: 18112
rule_rev: 1
rule_name: User account disabled or deleted.
rule_level: 8
lrec_object_tag: user
lrec_action_tag: authentication delete
lrec_status_tag: success
lrec_action: review
event_id: 4725
status: AUDIT_SUCCESS
data: Microsoft-Windows-Security-Auditing
*user: my_account*
systemname: myhost.mydomain.com
raw_log:
WinEvtLog: Security: AUDIT_SUCCESS(4725):
Microsoft-Windows-Security-Auditing: *my_account: *no domain:
myhost.mydomain.com: A user account was disabled. Subject: Security
ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name:
my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332
Target Account: Security ID:
S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account
Account Domain: MYDOMAIN
On Wednesday, October 7, 2015 at 4:56:14 PM UTC-4, Eloy Alonso wrote:
>
> This Event is usually caused by a stale hidden credential. Try this from
> the system giving the error:
>
> From a command prompt run: psexec -i -s -d cmd.exe
> From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr
> Remove any items that appear in the list of Stored User Names and
> Passwords. Restart the computer.
>
>
> On Monday, November 3, 2014 at 4:37:34 PM UTC-5, Luke Goldman wrote:
>>
>> I am new to setting up Ossec but so far am liking it a lot. I am having
>> one issue that I am sure someone has resolved. The main thing I am working
>> right now is tracking failed windows logins. Most of this has worked right
>> out of the box which is awesome. The issue I am having is that the Windows
>> Event ID 4625 shows (no user) where every other Windows Event ID shows the
>> username. So Ossec reports the user as (no user). This causes issues when
>> I want to alert on 6 failed logins from the same user, as every user will
>> match this (no user). Has anyone got a solution for this? Below is a log
>> that will show what I am talking about. Thanks!
>>
>> 2014 Nov 03 12:05:34 WinEvtLog: Security: AUDIT_FAILURE(4625):
>> Microsoft-Windows-Security-Auditing: (no user):
>> 2014 Nov 03 13:15:27 WinEvtLog: Security: AUDIT_SUCCESS(4624):
>> Microsoft-Windows-Security-Auditing: Username:
>>
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
