Windows login failure event 4625 not logging
480 views
Skip to first unread message
Jarrod Farncomb
Dec 8, 2014, 7:14:15 PM12/8/14
to ossec...@googlegroups.com
I'm having an issue getting failed logins to Windows servers to log correctly to alerts.log.
I've created a log in fail and confirmed the Windows event logs show this as ID 4625.
Checking in the rules directory on the OSSEC server this appears within the <id> field of the msauth rule file (ID 18106), however it doesn't actually seem to detect or log it to alerts.log.
What needs to be changed? When I run ossec-logtest and put the ID 4625 in it says that no rules have been applied, despite there already being one that appears to match it.
I've created a log in fail and confirmed the Windows event logs show this as ID 4625.
Checking in the rules directory on the OSSEC server this appears within the <id> field of the msauth rule file (ID 18106), however it doesn't actually seem to detect or log it to alerts.log.
What needs to be changed? When I run ossec-logtest and put the ID 4625 in it says that no rules have been applied, despite there already being one that appears to match it.
gr...@castraconsulting.com
Dec 9, 2014, 7:28:14 AM12/9/14
to ossec...@googlegroups.com
"When I run ossec-logtest and put the ID 4625 "
Do you paste the entire log into the logtest?
Can you put your logtest output here?
Can you put your logtest output here?
dan (ddp)
Dec 9, 2014, 7:45:06 AM12/9/14
to ossec...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Jarrod Farncomb
Dec 9, 2014, 7:10:20 PM12/9/14
to ossec...@googlegroups.com
Ah I was not pasting the whole log into the logtest just the ID.. I've done this now which shows as below. Running OSSEC HIDS 2.6, agent is Windows agent 2.6.1 I believe.
The log I pasted into ossec-logtest was the syslog output (the Windows event logs are sent to a syslog server via Snare), I'm not sure how the Windows ossec agent sends it off to the ossec server so it may be in a different format and not syslog?
root@ossec:/var/ossec/bin# ./ossec-logtest
2014/12/10 10:54:50 ossec-testrule: INFO: Reading local decoder file.
2014/12/10 10:54:50 ossec-testrule: INFO: Started (pid: 10688).
ossec-testrule: Type one log per line.
MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406
**Phase 1: Completed pre-decoding.
full event: 'MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406'
hostname: 'ossec'
program_name: '(null)'
log: 'MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1003'
Level: '13'
Description: 'Non standard syslog message (size too large).'
**Alert to be generated.
The log I pasted into ossec-logtest was the syslog output (the Windows event logs are sent to a syslog server via Snare), I'm not sure how the Windows ossec agent sends it off to the ossec server so it may be in a different format and not syslog?
root@ossec:/var/ossec/bin# ./ossec-logtest
2014/12/10 10:54:50 ossec-testrule: INFO: Reading local decoder file.
2014/12/10 10:54:50 ossec-testrule: INFO: Started (pid: 10688).
ossec-testrule: Type one log per line.
MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406
**Phase 1: Completed pre-decoding.
full event: 'MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406'
hostname: 'ossec'
program_name: '(null)'
log: 'MSWinEventLog 1 Security 17597 Wed Dec 10 10:38:17 2014 4625 Microsoft-Windows-Security-Auditing domain\user N/A Failure Auditwindowsbox2.domain.local Logon An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: user Account Domain: domain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: windowsbox Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 15406'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 3: Completed filtering (rules).
Rule id: '1003'
Level: '13'
Description: 'Non standard syslog message (size too large).'
**Alert to be generated.
Reply all
Reply to author
Forward
0 new messages