X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;ds=sidebyside;f=etc%2Frules%2Fmsauth_rules.xml;h=fcfcf2ca2d0195564e2ae9208ed201f076886885;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hp=eda0490462ecfd4822e2cca218435486c0c0e25f;hpb=ef70704f0b31b59bb719b884d6a99cb9e3e2044a;p=ossec-hids.git
diff --git a/etc/rules/msauth_rules.xml b/etc/rules/msauth_rules.xml
index eda0490..fcfcf2c 100755
--- a/etc/rules/msauth_rules.xml
+++ b/etc/rules/msauth_rules.xml
@@ -62,27 +62,27 @@
18104
- ^528$|^540$|^672$|^673$|^4624$|^4769$
+ ^528$|^540$|^673$|^4624$|^4769$
Windows Logon Success.
authentication_success,
18105
- ^577$
+ ^577$|^4673$
Failed attempt to perform a privileged
operation.
18104
- ^682$|^683$
+ ^682$|^683$|^4778$|^4779$
Session reconnected/disconnected to winstation.
18104
- ^624$|^626$|^645$|^4720$|^4722$|^4741$
+ ^624$|^626$|^4720$|^4722$
User account enabled or created.
adduser,account_changed,
@@ -103,7 +103,7 @@
18104
- ^612$|^643$|^4719$|^4907$|^4912$
+ ^612$|^643$|^4719$|^4907$|^4912$|^4719$
Windows Audit Policy changed.
policy_changed,
@@ -143,7 +143,7 @@
18104
- ^517$
+ ^517$|^1102$
Windows audit log was cleared.
logs_cleared,
@@ -176,10 +176,10 @@
authentication_success,
-
+
18104
- ^646$|^647$
- Computer account changed/deleted.
+ ^646$|^645$|^647$|^4741$|^4742$|^4743$
+ Computer account added/changed/deleted.
account_changed,
@@ -267,21 +267,21 @@
18106
- ^539$
+ ^539$|^4625$
Logon Failure - Account locked out.
win_authentication_failed,
18105
- ^672$|^673$|^675$|^676$|^681$|^4769$
+ ^673$|^675$|^681$|^4769$
Windows DC Logon Failure.
win_authentication_failed,
18104
- ^520$
+ ^520$|^4616$
System time changed.
time_changed,
@@ -347,7 +347,7 @@
18104
- ^538$|^4634$|^4647$
+ ^538$|^551$|^4634$|^4647$
Windows User Logoff.
@@ -813,7 +813,7 @@
-->
18107,18149
- ^528$|^538$|^540$
+ ^528$|^538$|^540$|^4624$
^LOCAL SERVICE|^NETWORK SERVICE|^ANONYMOUS LOGON
Windows Logon Success (ignored).