Hello, It seems the Ossec Windows Agent logs incorrect process id: 0 for WinEvtLog: Security: AUDIT_SUCCESS(4656) The actual process id is in process name: 0x1abc Can this be resolved ?
See log below 2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018 Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4690): Microsoft-Windows-Security-Auditing: (no user): no domain: dc01_ADMIN.dc01_ds.local: An attempt was made to duplicate a handle to an object. Subject: Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Source Handle Information: Source Handle ID: 0x1f18 Source Process ID: 0x1abc New Handle Information: Target Handle ID: 0x928 Target Process ID: 0x4' 2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to server. 2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018 Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4658): Microsoft-Windows-Security-Auditing: (no user): no domain: dc01_ADMIN.dc01_ds.local: The handle to an object was closed. Subject : Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object: Object Server: Security Handle ID: 0x928 Process Information: Process ID: 0x1abc Process Name: C:\Windows\explorer.exe' 2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to server. *2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018 Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4656): Microsoft-Windows-Security-Auditing: (no user): no domain: dc01_ADMIN.dc01_ds.local: A handle to an object was requested. Subject: Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x1f18 Process Information: Process ID: 0 Process Name: 0x1abc Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: %%1538 %%1541 %%4416 %%4419 %%4423 Access Mask: %%1538: %%1801 D:(A;;0x1200a9;;;BA) %%1541: %%1801 D:(A;;0x1200a9;;;BA) %%4416: %%1801 D:(A;;0x1200a9;;;BA) %%4419: %%1801 D:(A;;0x1200a9;;;BA) %%4423: %%1801 D:(A;;0x1200a9;;;BA) Privileges Used for Access Check: 0x120089 Restricted SID Count: -'* 2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to server. 2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018 Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4663): Microsoft-Windows-Security-Auditing: (no user): no domain: dc01_ADMIN.dc01_ds.local: An attempt was made to access an object. Subject: Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object: Object Server: Security Object Type: File Object Name: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms Handle ID: 0x1f18 Process Information: Process ID: 0x1abc Process Name: C:\Windows\explorer.exe Access Request Information: Accesses: %%1541 Access Mask: 0x100000' 2018/03/12 10:04:30 ossec-agent: DEBUG: Attempting to send message to server. 2018/03/12 10:04:30 ossec-agent: DEBUG: Sending message to server: '2018 Mar 12 10:04:29 WinEvtLog: Security: AUDIT_SUCCESS(4658): Microsoft-Windows-Security-Auditing: (no user): no domain: dc01_ADMIN.dc01_ds.local: The handle to an object was closed. Subject : Security ID: S-1-5-21-3302202820-3722458155-244911019-500 Account Name: administrator Account Domain: dc01_DS Logon ID: 0x1061b5 Object: Object Server: Security Handle ID: 0x1f18 Process Information: Process ID: 0x1abc Process Name: C:\Windows\explorer.exe' -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.