Hello,
It seems the Ossec Windows Agent logs incorrect process id: 0 for WinEvtLog:
Security: AUDIT_SUCCESS(4656)
The actual process id is in process name: 0x1abc
Can this be resolved ?
See log below
2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018
Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4690):
Microsoft-Windows-Security-Auditing: (no user): no domain:
dc01_ADMIN.dc01_ds.local: An attempt was made to duplicate a handle to an
object. Subject: Security ID:
S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator
Account Domain: dc01_DS Logon ID: 0x1061b5 Source Handle Information:
Source Handle ID: 0x1f18 Source Process ID: 0x1abc New Handle
Information: Target Handle ID: 0x928 Target Process ID: 0x4'
2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to
server.
2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018
Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4658):
Microsoft-Windows-Security-Auditing: (no user): no domain:
dc01_ADMIN.dc01_ds.local: The handle to an object was closed. Subject :
Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name:
administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object:
Object Server: Security Handle ID: 0x928 Process Information: Process
ID: 0x1abc Process Name: C:\Windows\explorer.exe'
2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to
server.
*2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018
Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4656):
Microsoft-Windows-Security-Auditing: (no user): no domain:
dc01_ADMIN.dc01_ds.local: A handle to an object was requested. Subject:
Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name:
administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object:
Object Server: Security Object Type: File Object Name:
C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID:
0x1f18 Process Information: Process ID: 0 Process Name: 0x1abc Access
Request Information: Transaction ID:
{00000000-0000-0000-0000-000000000000} Accesses: %%1538 %%1541
%%4416 %%4419 %%4423 Access Mask: %%1538:
%%1801 D:(A;;0x1200a9;;;BA) %%1541: %%1801 D:(A;;0x1200a9;;;BA)
%%4416: %%1801 D:(A;;0x1200a9;;;BA) %%4419:
%%1801 D:(A;;0x1200a9;;;BA) %%4423: %%1801 D:(A;;0x1200a9;;;BA)
Privileges Used for Access Check: 0x120089 Restricted SID Count: -'*
2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to
server.
2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018
Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4663):
Microsoft-Windows-Security-Auditing: (no user): no domain:
dc01_ADMIN.dc01_ds.local: An attempt was made to access an object.
Subject: Security ID: S-1-5-21-3302202820-3722458155-244911019-500
Account Name: administrator Account Domain: dc01_DS Logon ID:
0x1061b5 Object: Object Server: Security Object Type: File Object Name:
C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID:
0x1f18 Process Information: Process ID: 0x1abc Process Name:
C:\Windows\explorer.exe Access Request Information: Accesses:
%%1541 Access Mask: 0x100000'
2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to
server.
2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018
Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4658):
Microsoft-Windows-Security-Auditing: (no user): no domain:
dc01_ADMIN.dc01_ds.local: The handle to an object was closed. Subject :
Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name:
administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object:
Object Server: Security Handle ID: 0x1f18 Process Information: Process
ID: 0x1abc Process Name: C:\Windows\explorer.exe'
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
