I saw a strange log entry today that seemed to have the information put 
into some of the wrong fields:

2018 Apr 16 12:11:14 (workstation)>WinEvtLog 2018 Apr 16 05:11:10 
> WinEvtLog: Security: AUDIT_FAILURE(5140): 
> Microsoft-Windows-Security-Auditing: (no user): no domain: 
> workstation.domain.com: A network share object was accessed.  Subject:  
> Security ID:  S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzz-8642  Account Name:  
> CCIS-TS1$  Account Domain:  MMIA  Logon ID:  0x18bb1672  Network 
> Information:   Source Address:  File  Source Port:   Share Name:  
>  49318

Looking at the event log itself, it looks like it's not accounting for 
"Object Type" before "Source Address."

It's also not reporting some of the fields after Share Name:
Share Path
Access Mask

Is this something I can fix myself?  This was on a Windows 10.0.15063 
workstation.  Has the event changed for this flavor of Windows?


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to