OSSEC HIDS Notification.
2017 Aug 25 05:57:35
Received From: (xxx-osagt-rdp6) 10.1.0.99->WinEvtLog
Rule: 18138 fired (level 7) -> "Logon Failure - Account locked out."
Portion of the log(s):
2017 Aug 25 05:57:04 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-C49P2039Q3K: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: xxxxxxxx Account Domain: Failure Information: Failure Reason: %%2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted.
--END OF NOTIFICATION
Can someone advise why the linux agent email contains the Windows login error logs ?
Note: I have removed grouping of e-mails in my ossec.conf file.
Is there any basic settings I am missing ?
Regards,
Srikar