I saw a strange log entry today that seemed to have the information put into some of the wrong fields:
2018 Apr 16 12:11:14 (workstation) 22.214.171.124->WinEvtLog 2018 Apr 16 05:11:10 > WinEvtLog: Security: AUDIT_FAILURE(5140): > Microsoft-Windows-Security-Auditing: (no user): no domain: > workstation.domain.com: A network share object was accessed. Subject: > Security ID: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzz-8642 Account Name: > CCIS-TS1$ Account Domain: MMIA Logon ID: 0x18bb1672 Network > Information: Source Address: File Source Port: 126.96.36.199 Share Name: > 49318 Looking at the event log itself, it looks like it's not accounting for "Object Type" before "Source Address." It's also not reporting some of the fields after Share Name: Share Path Access Mask Accesses Is this something I can fix myself? This was on a Windows 10.0.15063 workstation. Has the event changed for this flavor of Windows? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.