Windows time changes Alert

[moe hans]

Hi I would like to recieve alerts when someone change the time on a windows servers. I can see that logs are being sent to the OSSEC server but it not alert me. 

2015 Oct 09 11:02:08 (Bookadmin-sry) 192.168.161.149->WinEvtLog 2015 Oct 09 00:02:05 WinEvtLog: Security: AUDIT_SUCCESS(4616): Microsoft-Windows-Security-Auditing: (no user): no domain: bookadmin-sry: The system time was changed. Subject:  Security ID:  S-1-5-21-4177568406-2897204066-3252460601-500  Account Name:  Administrator  Account Domain:  BOOKADMIN-SRY  Logon ID:  0x3bb6d17  Process Information:  Process ID: (null)  Name:    Previous Time:  2015-10-09T07:02:06.000000000Z 2015-10-09T18:02:07.279218900Z New Time:  C:\Windows\System32\rundll32.exe 0x2954  This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.

In the windows eventlog it show us as event id 1.

--

Moe Hans

[Brent Morris]

Hi Moe,

Edit your  /var/ossec/rules/local_rules.xml and add this..

  <rule id="18140" level="7" overwrite="yes">

    <if_sid>18104</if_sid>

    <id>^520$|^4616$</id>

    <description>System time changed.</description>

    <group>time_changed,</group>

  </rule>

That should do the trick so long as alert level 7 meets the alert level threshold set in your ossec.conf