This is exactly what I needed. Thank you so much for your help. Doug
On Tuesday, August 13, 2013 9:21:19 AM UTC-7, Michael Starks wrote: > > On 13.08.2013 10:53, Doug Kelly wrote: > > Thank you Michael. Adding or removing a member of the administrator's > > group worked perfectly. And I am sure with files constantly changing > > in the WindowsSystem32 directory, it would be nearly impossible to > > put > > in all the exclusions to make it work reliably. Is there another > > simple test that a novice like me could run to show a different Ossec > > capability? Maybe a Window's Registry change or some other system > > change? > > Multiple authentication failures (say, 10 times within a minute or so), > clearing the event log and changing the audit policy should all generate > alerts. Have a look through ms_auth.xml for anything above a level 7 and > see what interests you. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
