Here's what I'm seeing:
- there are events that get an alert level assigned and appear in alert.log. - there are other events that have no alert level and appear ONLY on ossec-archive.log.
Here is an example of an entry that is in ossec-archive, but not ossec-alert:
2019 Feb 27 13:03:27 <redacted>->EventChannel {"EventChannel":{"System":{"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}","EventID":"4663","Version":"0","Level":"0","Task":"12800","Opcode":"0","Keywords":"0x8020000000000000","SystemTime":"2019-02-27T13:03:24.390036700Z","EventRecordID":"4525254862","ProcessID":"4","ThreadID":"88","Channel":"Security","Computer":"<redacted>","SeverityValue":"AUDIT_SUCCESS","Message":"An attempt was made to access an object."},"EventData":{"SubjectUserSid":"<redacted>","SubjectUserName":"<redacted>","SubjectDomainName":"<redacted>","SubjectLogonId":"<redacted>","ObjectServer":"Security","ObjectType":"File","ObjectName":"<redacted>","HandleId":"0x27cc","AccessList":"%%4424","AccessMask":"0x100","ProcessId":"0x4","ProcessName":""}}}
Does this mean that there is no rule for these events, so they are simply archived?
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.