On 13.08.2013 10:53, Doug Kelly wrote:
Thank you Michael. Adding or removing a member of the administrator's
group worked perfectly. And I am sure with files constantly changing
in the WindowsSystem32 directory, it would be nearly impossible to
put
in all the exclusions to make it work reliably. Is there another
simple test that a novice like me could run to show a different Ossec
capability? Maybe a Window's Registry change or some other system
change?
Multiple authentication failures (say, 10 times within a minute or so),
clearing the event log and changing the audit policy should all generate
alerts. Have a look through ms_auth.xml for anything above a level 7 and
see what interests you.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
