Hi all, I write a rules for parse Windows Event 4656, the result is pretty well except Accesses: is not friendly readable.
accesses %%1541 %%4416 %%4423 As you can see, accesses field show as 4 digit. For anyone who want to understand these digit, it mean : '%%1537', "Delete", '%%1538', "ReadControl", '%%1539', "ReadControl", '%%1540', "ReadControl", '%%1541', "Synchronize", '%%1542', "Synchronize", '%%4416', "ReadData", '%%4417', "WriteData", '%%4418', "AppendData", '%%4419', "ReadEA", '%%4420', "WriteEA", '%%4423', "ReadAttrib", '%%4424', "WriteAttrib", '%%1801', "Granted", '%%1805', "NotGranted" Anyone here can suggest me the way to replace these digit to another keywords. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.