We addressed this using an OSSIM plugin to read a different part of the alert log
Hope that helps sir Grant Leonard Castra Consulting, LLC <http://castraconsulting.com/#/> 919-949-4002 On Fri, Nov 20, 2015 at 12:28 PM, Joshua Roback <[email protected]> wrote: > I have a decoder that grabs the appropriate Account Name, but have come > across another issue. Even if I am able to properly decoder "user", my > ossec alert.log does not correlate that to "user" unless it's in the > expected location in the WinEvtLog header. > > Raw Log > WinEvtLog: Security: AUDIT_SUCCESS(4725): > Microsoft-Windows-Security-Auditing: *(no user)*: no domain: > myhost.mydomain.com: A user account was disabled. Subject: Security > ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name: > *my_account* Account Domain: MYDOMAIN Logon ID: 0x23a80332 > Target Account: Security ID: > S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account > Account Domain: MYDOMAIN > > Decoder: > <decoder name="windows-verbose-auth"> > <parent>windows</parent> > <regex offset="after_parent">Security ID:\s*\S*\s*Account > Name:\s*(\S\S+)\s+Account Domain:\s*(\S*)</regex> > <order>user, extra_data</order> > </decoder> > > ossec-logtest output: > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4725' > extra_data: 'Microsoft-Windows-Security-Auditing' > system_name: 'myhost.mydomain.com' > *dstuser: 'my_account'* > > > > Alert.log > ** Alert ** > time: 1448030023 > hostname: (agent26) 0.0.0.0->WinEvtLog > location: (agent26) 0.0.0.0->WinEvtLog > rule_id: 18112 > rule_rev: 1 > rule_name: User account disabled or deleted. > rule_level: 8 > lrec_object_tag: user > lrec_action_tag: authentication delete > lrec_status_tag: success > lrec_action: review > event_id: 4725 > status: AUDIT_SUCCESS > data: Microsoft-Windows-Security-Auditing > systemname: myhost.mydomain.com > raw_log: > WinEvtLog: Security: AUDIT_SUCCESS(4725): > Microsoft-Windows-Security-Auditing: (no user): no domain: > myhost.mydomain.com: A user account was disabled. Subject: Security > ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name: > my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332 > Target Account: Security ID: > S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account > Account Domain: MYDOMAIN > > As you can see, "user" in the alert.log doesn't populate. If I modify the > log message and manually ingest it into OSSEC, it works. > > > New Raw Log: > WinEvtLog: Security: AUDIT_SUCCESS(4725): > Microsoft-Windows-Security-Auditing: *my_account*: no domain: > myhost.mydomain.com: A user account was disabled. Subject: Security > ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name: > my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332 > Target Account: Security ID: > S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account > Account Domain: MYDOMAIN > > New Alert.log > ** Alert ** > time: 1448030023 > hostname: (agent26) 0.0.0.0->WinEvtLog > location: (agent26) 0.0.0.0->WinEvtLog > rule_id: 18112 > rule_rev: 1 > rule_name: User account disabled or deleted. > rule_level: 8 > lrec_object_tag: user > lrec_action_tag: authentication delete > lrec_status_tag: success > lrec_action: review > event_id: 4725 > status: AUDIT_SUCCESS > data: Microsoft-Windows-Security-Auditing > *user: my_account* > systemname: myhost.mydomain.com > raw_log: > WinEvtLog: Security: AUDIT_SUCCESS(4725): > Microsoft-Windows-Security-Auditing: *my_account: *no domain: > myhost.mydomain.com: A user account was disabled. Subject: Security > ID: S-1-5-21-789336058-1532298954-839522115-141077 Account Name: > my_account Account Domain: MYDOMAIN Logon ID: 0x23a80332 > Target Account: Security ID: > S-1-5-21-789336058-1532298954-839522115-60716 Account Name: my_account > Account Domain: MYDOMAIN > > > > On Wednesday, October 7, 2015 at 4:56:14 PM UTC-4, Eloy Alonso wrote: >> >> This Event is usually caused by a stale hidden credential. Try this from >> the system giving the error: >> >> From a command prompt run: psexec -i -s -d cmd.exe >> From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr >> Remove any items that appear in the list of Stored User Names and >> Passwords. Restart the computer. >> >> >> On Monday, November 3, 2014 at 4:37:34 PM UTC-5, Luke Goldman wrote: >>> >>> I am new to setting up Ossec but so far am liking it a lot. I am having >>> one issue that I am sure someone has resolved. The main thing I am working >>> right now is tracking failed windows logins. Most of this has worked right >>> out of the box which is awesome. The issue I am having is that the Windows >>> Event ID 4625 shows (no user) where every other Windows Event ID shows the >>> username. So Ossec reports the user as (no user). This causes issues when >>> I want to alert on 6 failed logins from the same user, as every user will >>> match this (no user). Has anyone got a solution for this? Below is a log >>> that will show what I am talking about. Thanks! >>> >>> 2014 Nov 03 12:05:34 WinEvtLog: Security: AUDIT_FAILURE(4625): >>> Microsoft-Windows-Security-Auditing: (no user): >>> 2014 Nov 03 13:15:27 WinEvtLog: Security: AUDIT_SUCCESS(4624): >>> Microsoft-Windows-Security-Auditing: Username: >>> >>> >>> -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/AFawPZZ4v4k/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
