The event is from a Windows 10 system. I have turned on logall. I am having a hard time regenerating event ID 5140, however I have spotted several other event types where the xml field labels are NOT logged up by OSSEC.
In addition, in the specific example below, the order of the last two fields is inverted. As presented by OSSEC, these event types (and several others) are just a sequence of field content *without* field names. Without viewing the original event in Window Event Viewer, it is difficult to make head or tail of the content of such events. Event 4703 is filtered by the rules I have in place, below is a sanitized capture of one event from the archives log. Example event 4703 from archives log: 2017 Feb 20 10:19:04 (AgentName) 192.168.X.Y->WinEvtLog 2017 Feb 20 12:19:00 WinEvtLog: Security: AUDIT_SUCCESS(4703): Microsoft-Windows-Security-Auditing: (no user): no domain: Hostname: S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 S-1-5-18 HOSTNAME$ DOMAIN 0x3e7 C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe 0x6d0 SeSecurityPrivilege - *Sanitized Text view in Event Viewer* A user right was adjusted. <--- Not reported by Windows in XML Subject: Security ID: SYSTEM Account Name: HOSTNAME$ Account Domain: DOMAIN Logon ID: 0x3E7 Target Account: Security ID: SYSTEM Account Name: HOSTNAME$ Account Domain: DOMAIN Logon ID: 0x3E7 Process Information: Process ID: 0x6d0 Process Name: C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe Enabled Privileges: - Disabled Privileges: SeSecurityPrivilege And the XML Event Data - <file:///C:/Users/GJahchan/AppData/Local/Temp/tmp4394.xml#> <EventData> <Data Name="*SubjectUserSid*">S-1-5-18</Data> <Data Name="*SubjectUserName*">HOSTNAME$</Data> <Data Name="*SubjectDomainName*">DOMAIN</Data> <Data Name="*SubjectLogonId*">0x3e7</Data> <Data Name="*TargetUserSid*">S-1-5-18</Data> <Data Name="*TargetUserName*">HOSTNAME$</Data> <Data Name="*TargetDomainName*">DOMAIN</Data> <Data Name="*TargetLogonId*">0x3e7</Data> <Data Name="*ProcessName*">C:\Program Files (x86)\OSSEC-Agent\ossec-agent.exe</Data> <Data Name="*ProcessId*">0x6d0</Data> <Data Name="*EnabledPrivilegeList*">-</Data> <Data Name="*DisabledPrivilegeList*">SeSecurityPrivilege</Data> </EventData> The labels in Windows AppLocker events are missing, in addition to certain fields not being logged at all. Event in OSSEC: 2017 Feb 20 12:59:32 WinEvtLog: Microsoft-Windows-AppLocker/EXE and DLL: INFORMATION(8002): Microsoft-Windows-AppLocker: Username: HOSTNAME: Hostname: %SYSTEM32%\NOTEPAD.EXE was allowed to run. Similar event in Event Viewer: Log Name: Microsoft-Windows-AppLocker/EXE and DLL Source: Microsoft-Windows-AppLocker Date: 2017-02-20 12:59:32 Event ID: 8002 Task Category: None Level: Information Keywords: User: HOSTNAME\Username Computer: Hostname Description: %SYSTEM32%\NOTEPAD.EXE was allowed to run. <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-AppLocker" Guid="{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}" /> <EventID>8002</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2017-02-20T10:59:32.601746800Z" /> <EventRecordID>628604</EventRecordID> <Correlation /> <Execution ProcessID="12408" ThreadID="6736" /> <Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel> <Computer>Hostname</Computer> <Security UserID="S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX" /> </System> <UserData> <RuleAndFileData xmlns="http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0"> <PolicyName>EXE</PolicyName> <RuleId>{68A289F7-223A-46C9-A2B2-A7C6F18046DE}</RuleId> <RuleName>Program Files (x86): MICROSOFT® WINDOWS® OPERATING SYSTEM signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</RuleName> <RuleSddl>D:(XA;;FX;;;S-1-5-11;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\*",2814749767106560}))))</RuleSddl> <TargetUser>S-1-5-21- XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXX</TargetUser> <TargetProcessId>7820</TargetProcessId> <FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath> <FileHash>D7AE8D9D859B4F6DC703E2005CC10E836CCFFC38C4DB97C3C9DEF101D722E417</FileHash> <Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\10.0.10240.16425</Fqbn> <TargetLogonId>0x28f2bf</TargetLogonId> </RuleAndFileData> </UserData> </Event> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.