Hello Experts, We are running OSSEC Server 2.8.3 on SUSE 12 SP2 with few agents on Windows 2008 and Linux (SUSE 12 SP1). When we receive notification emails from Linux agents for example with Subject:
OSSEC Alert - (xxx-osagt-nat) 10.1.0.188 - Level 14 - Successful sudo to ROOT executed But the email contains only messages like: OSSEC HIDS Notification. 2017 Aug 25 05:57:35 Received From: (xxx-osagt-rdp6) 10.1.0.99->WinEvtLog Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out." Portion of the log(s): 2017 Aug 25 05:57:04 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: xxxxxxxx Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. --END OF NOTIFICATION Can someone advise why the linux agent email contains the Windows login error logs ? Note: I have removed grouping of e-mails in my ossec.conf file. Is there any basic settings I am missing ? Regards, Srikar -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
