Hi Everyone, Email alert mismatch, I have email alerts from Ossec agent(Suse Linux) with message header as "Successful sudo to ROOT executed",with but the content in the alert is for other Ossec agents(RDP servers). The Email alert looks like this:
OSSEC Alert - Agent Name(Linux) - Level 14 - Successful sudo to ROOT executed Received From: Agent Name->WinEvtLog Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out." Portion of the log(s): 2017 Aug 24 06:59:16 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: PHOENIX Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. Could anyone provide any info on this. Any help is appreciated. Many Thanks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
