Hi Brad, My guess is you have extended auditing enabled. Both of these alerts are typical of access requests (file handles) or successful use of privs - in both cases, I would be more interested in failed use of privs and/or blocked access. However, you have to judge for your environment. Without knowing everything about your setup, I would say you could probably safely ignore these for now, then focus on the rest of the alerts to try to get a clear understanding of what "normal" is.
Cheers Kat On Friday, July 8, 2016 at 2:34:20 PM UTC-5, Brad Carey wrote: > > We have deployed OSSEC company wide to probably 60-80 PCs and servers. > Problem is our hourly emails are 4-5MB, way too much to wade through. The > vast majority of the events are Event ID 4656, with a good number of Event > ID 4673 too. How do I determine whether or not I can suppress all of these > from the alert emails? I don't mean in the technical sense, but security > sense. Might these particular events ever be thrown when there is malicious > activity? > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.