From OSSEC Wiki

Jump to: navigation, search
[edit]

sample 1 

** Alert 1157059138.537:
2006 Sep 01 00:18:58 topgun->/var/log/mail.info
Rule: 3303 (level 5) -> 'Sender domain is not found (450: Requested mail action not taken).'
Src IP: 82.182.108.180
User: (none)
postfix/smtpd[4351]: NOQUEUE: reject: RCPT from 1-1-4-21a.gka.gbg[172.16.108.180]: 450 <shoshana@localhost.localdomain>: Recipient address rejected: Gre helo=<1-1-4-21a.gka.gbg>
[edit]

sample 2 

** Alert 1157453980.455791: mail
2006 Sep 05 13:59:40 (Web) 195.X.X.X->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: X: Logon Failure:           Reason:     Unknown user name or bad password        User Name:      X            Domain:         X     Logon Type:     3   Logon Process:   NtLmSsp         Authentication Package: NTLM            Workstation Name:       X

WinEvtLog: Security: AUDIT_FAILURE(681): Security: SYSTEM: NT AUTHORITY: X: The logon to account: X by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    from workstation: X    failed. The error code was: 3221225572

** Alert 1157450401.442293: mail
2006 Sep 05 13:00:01 (Web) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf'
Size changed from '112132096' to '135725056'

** Alert 1157448825.440232: mail
2006 Sep 05 12:33:45 (SERVER2) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\WINNT/Debug/PASSWD.LOG' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\WINNT/Debug/PASSWD.LOG'
Size changed from '12460' to '12638'
Old md5sum was: '7815a64d079991d60aeba658be961633'
New md5sum is : 'e58818dd1f1155053a4616e1884dc554'
Old sha1sum was: '9df84637f4d746899cbd80bafcc2e37fc7066bdf'
New sha1sum is : '0d5b6ccabe9ae1d37ed0c4dad72f61e816620e47'



[edit]

Sample 3 

** Alert 1158059536.19220030:	nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: (0.0.0.0)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239
Retrieved from "http://www.ossec.net/wiki/index.php/OSSEC_alerts_log_format"
Views
Personal tools