I am getting frequent “Rule: 1003 fired) emails:
Received From: (ServerName) ###.###.###.### (ServerIP) ->WinEvtLog
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):
2014 Jun 30 01:07:29 WinEvtLog: Security: AUDIT_SUCCESS(4648): Microsoft-Windows-Security-Auditing: (no user): no domain: ServerName.FQDN: A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: ServerName$ Account
Domain: DomainName Logon ID: 0x3e7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DomainAccountName Account Domain: FQDN Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server:
Target Server Name: MailServerName.FQDN Additional Information: HTTP/ MailServerName.FQDN Process Information: Process ID: 0x688 Process Name: ProgramPath\ProgramName Network Information: Network Address: - Port: - This event is generated when
a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
I saw this posting and answer:
It can parse the log without problems. This message is generated by this rule:
<rule id="1003" level="13" maxsize="1025">
<description>Non standard syslog message (size too large).</description>
</rule>
So, you can ignore that rule for this specific log you are parsing or
just increase
the size for everyone... Example:
<rule id="100103" level="0">
<description>Ignoring size to large alerts for myapp.</description>
<match>myapp log</match> OR you can use <program_name>myapp</program_name>
</rule>
I looked at the rules I have set up already and they don’t look exactly like the above example, they look more like:
<rule id=’100001’ level=’0’>
<id>52</id> (would be 1003 for above issue)
<description>Ignore ID 52 alerts</description> (would be ID 1003 for above issue)
</rule>
I’ve seen other people saying that they rule that looks like my others does not work. Will it / should it work?
My question is: Given the rule example that was posted:
<match>myapp log</match> OR you can use <program_name>myapp</program_name>
If I put this in as my new rule, what would I put for “my app log”?
Would this work?
<rule id="100103" level="0">
<description>Ignoring size to large alerts for ProgramName.</description>
<program_name>C:\PathName\ProgramName.exe</program_name>
</rule>
For example if it was C:\Program Files\Microsoft\Notepad.exe (yes, I know that’s not the right path, just an example) that was the “offending” executable would I put:
<rule id="100103" level="0">
<description>Ignoring size to large alerts for Notepad.</description>
<program_name>C:\ProgramFiles\Notepad.exe</program_name>
</rule>
Or would I just put:
<rule id="100103" level="0">
<description>Ignoring size to large alerts for Notepad.</description>
<program_name>Notepad.exe</program_name>
</rule>
Thanks in advance,
Randy Dover