In the OSSEC.conf file I have level 3 logging set. I can't seem to get
this rule to fire that is a predefined rule in the msauth_rules.xml file.
I can see in the windows log event id: 4624, but it won't fire.
<rule id="18107" level="3">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
<group>authentication_success,</group>
</rule>
If I create a custom rule below in the local_rules.xml, it works. I see
that the difference is the level, but I do have level 3 set in the
ossec.conf file so it should fire rules from level 3 through level 16,
right?
<rule id="210000" level="5">
<if_sid>18104</if_sid>
<id>^528$|^540$|^673$|^4624$|^4769$</id>
<description>Windows Logon Success.</description>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
