Hello Thanks for your reply.
The events are coming from Active Directory running SNARE, then forward the events to Syslog-NG Ossec tails the syslog-ng dedicated log. Does it help ? Kind regards On Dec 23, 5:18 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > These event messages seem odd. Running the first one through logtest > gives me the following: > 2010/12/23 11:12:21 ossec-testrule: INFO: Reading local decoder file. > 2010/12/23 11:12:21 ossec-testrule: INFO: Started (pid: 25248). > ossec-testrule: Type one log per line. > > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > Security 19699453 Thu: Dec 23 09:08:15 2010 680 > Security USERXXX User Success Audit DOMAINCONTROLERNAME > Account Logon Logon attempt by: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > Source Workstation: STATIONNAMEXXX Error Code: 0x0 > 19695682 > > **Phase 1: Completed pre-decoding. > full event: 'Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME > MSWinEventLog 1 Security 19699453 Thu: Dec 23 09:08:15 > 2010 680 Security USERXXX User Success Audit > DOMAINCONTROLERNAME Account Logon Logon attempt by: > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > Source Workstation: STATIONNAMEXXX Error Code: 0x0 > 19695682 ' > hostname: '1.1.1.1' > program_name: '(null)' > log: 'DOMAINCONTROLERNAME MSWinEventLog 1 Security > 19699453 Thu: Dec 23 09:08:15 2010 680 Security > USERXXX User Success Audit DOMAINCONTROLERNAME Account Logon > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon > account: USERACCOUNT Source Workstation: STATIONNAMEXXX Error Code: > 0x0 19695682 ' > > **Phase 2: Completed decoding. > No decoder matched. > > **Phase 3: Completed filtering (rules). > Rule id: '1002' > Level: '2' > Description: 'Unknown problem somewhere in the system.' > **Alert to be generated. > > How are these messages being passed to OSSEC? > > > > > > > > On Thu, Dec 23, 2010 at 3:34 AM, Js Opdebeeck <js.opdebe...@gmail.com> wrote: > > Hello > > > Rule: 1002 'Unknown problem somewhere in the system.' represent 45% of > > the Alerts and > > > Here are 2 kind of alert that should be passed to 0 or at least > > correctly classified. > > Those are 'Failures' and 'Errors' but a I thought it will be handled > > by 'msauth_rules.xml' > > > Did someone already RE-classified this kind of rules ? If not , I'll > > probably have to ( mute them at least) > > > ** Alert 1293091695.18221016: - syslog,errors, > > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Src IP: (none) > > User: (none) > > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > > Security 19699453 Thu: Dec 23 09:08:15 2010 680 > > Security USERXXX User Success Audit DOMAINCONTROLERNAME > > Account Logon Logon attempt by: > > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: USERACCOUNT > > Source > > Workstation: STATIONNAMEXXX Error Code: 0x0 19695682 > > > ** Alert 1293091695.18219733: - syslog,errors, > > 2010 Dec 23 09:08:15 1.1.1.1->/data/network_ad.log > > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > Src IP: (none) > > User: (none) > > Dec 23 09:08:13 1.1.1.1 DOMAINCONTROLERNAME MSWinEventLog 1 > > Security 19699449 Thu: Dec 23 09:08:14 2010 673 > > Security SYSTEM User Success Audit DOMAINCONTROLERNAME > > Account Logon Service Ticket Request: User Name: > > stationna...@petercam.corp User Domain: PETERCAM.CORP Service > > Name: > > krbtgt Service ID: %{S-1-5-21-1424381949-1679034567-623647154-502} > > Ticket Options: 0x60810010 Ticket Encryption Type: 0x17 Client > > Address: 10.10.10.1 Failure Code: - Logon GUID: > > {d3ba7bf0-795b-27fd-f4a8-d70ed4268f72} Transited Services: - > > 19695678 > > > Kind regards > > > Js Op de Beeck