'Windows Logon Success' shows the 'User' sometimes, but other times it puts 'ANONYMOUS LOGON'
107 views
Skip to first unread message
Jay Bittner
Sep 8, 2014, 8:45:26 PM9/8/14
to ossec...@googlegroups.com
Hi guys. My company is currently setting up security per the PCI requirements.
What we are doing is logging events on our 'call center' Windows computers, which send logs back to our server, which we can check on our Dev computers.
One problem I've noticed in the logs, which isn't very helpful, is that some for the event 'Windows Logon Success' (Alert 1410221611), often times it puts 'ANONYMOUS LOGON' or 'SYSTEM', instead of the actual user account that logged in. But on other alerts, from some of the other computers, it puts the actual person's login name ( ex. j...@gmail.com ). Our employees use emails to login to Windows.
Where and how would I go about re-configuring the setup, so that it shows a user's email, 100% of the time, on Login/Logout/Etc Windows events. That's the only way those alerts are going to be helpful.
I have some screenshots of the different situations I'm describing.
Brian Kellogg
Sep 8, 2014, 10:36:20 PM9/8/14
to ossec...@googlegroups.com
http://forum.ultimatewindowssecurity.com/Topic236-167-1.aspx
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
Been looking into this as well. The above may help.
dan (ddp)
Sep 9, 2014, 8:13:54 AM9/9/14
to ossec...@googlegroups.com
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Michael Starks
Sep 9, 2014, 10:00:20 AM9/9/14
to ossec...@googlegroups.com
On 2014-09-08 19:45, Jay Bittner wrote:
> One problem I've noticed in the logs, which isn't very helpful, is
> that some for the event 'Windows Logon Success' (Alert 1410221611),
> often times it puts 'ANONYMOUS LOGON' or 'SYSTEM', instead of the
> actual user account that logged in. But on other alerts, from some of
> the other computers, it puts the actual person's login name ( ex.
> j...@gmail.com ). Our employees use emails to login to Windows.
The problem is that in these cases the user truly is 'ANONYMOUS' or
> One problem I've noticed in the logs, which isn't very helpful, is
> that some for the event 'Windows Logon Success' (Alert 1410221611),
> often times it puts 'ANONYMOUS LOGON' or 'SYSTEM', instead of the
> actual user account that logged in. But on other alerts, from some of
> the other computers, it puts the actual person's login name ( ex.
> j...@gmail.com ). Our employees use emails to login to Windows.
'SYSTEM.' If you look at the event in event viewer, you will see that
the user in the top part of the event (where the fields are delineated)
is the user you are seeing decoded (most likely). For instance, a failed
logon will often show up as SYSTEM because Windows wasn't able to truly
authenticate who it was, so it uses its own name.
To correct this requires a rewrite of the decoder to account for the
nuances where the expected username is further into the message. It's
not a simple task. Sometimes one even contains a source and destination
user, as is the case with account changes, so you have to decide which
one you care about. And each event ID from different versions of Windows
may be different.
Awhile back I started a log corpus and put a call out for help so we
could tackle this problem, but no one jumped in. I don't think this can
be truly fixed without a large sample of Windows logs and documentation
of the OSSEC log format, the latter of which I also offered to help with
but that offer was rejected.
Reply all
Reply to author
Forward
0 new messages