Hello, I enabled logall option and got few logs related to ms_firewall_rules.xml. Below is a sample: 2019 Jan 08 18:31:55 WinEvtLog: Security: AUDIT_SUCCESS(4956): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2: Windows Firewall has changed the active profile. New Active Profile: Private
When I run this in the ossec-logtest I get the following result: **Phase 1: Completed pre-decoding. full event: '2019 Jan 08 18:31:55 WinEvtLog: Security: AUDIT_SUCCESS(4956): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2: Windows Firewall has changed the active profile. New Active Profile: Private' hostname: 'ubuntu' program_name: 'WinEvtLog' log: 'Security: AUDIT_SUCCESS(4956): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-CHUBILMO5N2: Windows Firewall has changed the active profile. New Active Profile: Private' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_SUCCESS' id: '4956' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: '(no user)' system_name: 'WIN-CHUBILMO5N2' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. *Rule 18104 matched. *Trying child rules. Trying rule: 18116 - User account locked out (multiple login errors). Trying rule: 18118 - Windows audit log was cleared. Trying rule: 18110 - User account enabled or created. Trying rule: 18111 - User account changed. Trying rule: 18112 - User account disabled or deleted. Trying rule: 18113 - Windows Audit Policy changed. Trying rule: 18115 - General account database changed. Trying rule: 18117 - Windows is shutting down. Trying rule: 18114 - Group Account Changed Trying rule: 18127 - Computer account added/changed/deleted. Trying rule: 18140 - System time changed. Trying rule: 18142 - User account unlocked. Trying rule: 18200 - Group Account Created Trying rule: 18201 - Group Account Deleted Trying rule: 18107 - Windows Logon Success. Trying rule: 18109 - Session reconnected/disconnected to winstation. Trying rule: 18148 - Windows is starting up. Trying rule: 18149 - Windows User Logoff. Trying rule: 18181 - MS SQL Server Logon Success. **Phase 3: Completed filtering (rules). Rule id: '18104' Level: '0' Description: 'Windows audit success event.' Isn't it supposed it run through the ms_firewall.rules.xml file and give the output using <rule id="53652" level="8"> <if_sid>18104</if_sid> <id>^4956$</id> <description>Windows Firewall changed the active profile</description> <group>windows_firewall</group> </rule> Any idea on how to fix this? Rule hits when I copy it to msauth_rules.xml file. Any help would be appreciated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.