Informational events in security monitor

Similar Messages

• How to display events of only one IPS in Security Monitor?

  Hello,
  i searched the forum with no result. I have CW 2.2 with IDSMC 2.1. I got two IPS and 2 IDSM-2 (4.x is in production / 5.x is in test) which have all their four interfaces sniffing in different network segments. Now i am flooded by the thousands of messages from the internet with no possibilty to just concentrate my view on the events generated on only one special interface of a single IPS.
  To temporarily focus only one one interface of a single IPS how can i filter the events in Security Monitor to only display the events of a this device and a single interface?
  This would be extremly helpfull for to simulate attacks in an test environment with shuning/blocking. I have rare possiblities to set up a second CW IDSMC on another machine. And after all, i would appreciate to focus (filter) in that way for later examining my network to tune signatures and events.
  Furthermore, on IEV 4.1 i was able to get a real time dashboard showing 'real time' events. I did not see this functionality for IPS 5.x and IDSMC. How can i view real time data there to see my networks reaction to simulated attacks.
  Any ideas how to only display only wanted data in Security-Monitor?
  Thanks in advance, Gerhard

  As far as I know, you cannot display the events of only one IPS in Sec Mon.

• Security Monitor Events display incorrect time

  I have a time issue between a 4240 sensor (5.0) and Security Monitor (2.1). The events in the sensor are correct but 7 hours off in Security Monitor, even though the VMS server understands the correct time (knows there are events in the last hour) but will not display them. After doing some research, it looks as though we needed to load CSCOids2.1.0-sol_SecMon_2_1_Service_Pack_1-6.tar right? Well I did, ran the perl script, everthing was successful. CiscoWorks shows the patch as being applied. Reloaded VMS and the sensor, and still I have what seems like a UTC problem (UTC offset always =0 yet time zone=arizona). Any suggestions?
  Thanks!

  Is the correct offset configured on the sensor?
  Execute "show conf" and verify the value for the timezone offset. Remember that this is in minutes and not hours. If the timezone diffence is 7 hours then the value on the sensor should be 7hours*60minutes=420minutes.
  Also use "show events" on the sensor to look at a few alerts on the sensor itself. It will report both the UTC/GMT time and the Local time. Verify that the offset between the 2 is correct on the sensor. (be sure to account for summertime/daylight savings time)

• Thousands of failed login 4625 events, corresponding with 1003 events form Security-SSP

  I've got a server running Server 2012 R2, it's got a few services and such, but lately there have been thousand of failed logins, they seem to happen every 30 minutes and there is about 10 or so at a time. I checked the application logs and there seem to
  be corresponding events from Security-SSP at the same times, event ID 1003,a s well as a few different ones at random times. These are the details for the 4625 events:
  An account failed to log on.
  Subject:
      Security ID:        SYSTEM
      Account Name:        SERVER$
      Account Domain:        MYSERVER
      Logon ID:        0x3E7
  Logon Type:            3
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        
      Account Domain:        
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xC000006D
      Sub Status:        0xC0000064
  Process Information:
      Caller Process ID:    0x2c4
      Caller Process Name:    C:\Windows\System32\lsass.exe
  Network Information:
      Workstation Name:    SERVER
      Source Network Address:    -
      Source Port:        -
  Detailed Authentication Information:
      Logon Process:        Schannel
      Authentication Package:    Kerberos
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  System
  Provider
  [ Name]
  Microsoft-Windows-Security-Auditing
  [ Guid]
  {54849625-5478-4994-A5BA-3E3B0328C30D}
  EventID
  4625
  Version
  0
  Level
  0
  Task
  12544
  Opcode
  0
  Keywords
  0x8010000000000000
  TimeCreated
  [ SystemTime]
  2014-10-08T15:39:27.023566500Z
  EventRecordID
  555922
  Correlation
  Execution
  [ ProcessID]
  708
  [ ThreadID]
  11356
  Channel
  Security
  Computer
  Server.MYSERVER.local
  Security
  EventData
  SubjectUserSid
  S-1-5-18
  SubjectUserName
  SERVER$
  SubjectDomainName
  MYSERVER
  SubjectLogonId
  0x3e7
  TargetUserSid
  S-1-0-0
  TargetUserName
  TargetDomainName
  Status
  0xc000006d
  FailureReason
  %%2313
  SubStatus
  0xc0000064
  LogonType
  3
  LogonProcessName
  Schannel
  AuthenticationPackageName
  Kerberos
  WorkstationName
  SERVER
  TransmittedServices
  LmPackageName
  KeyLength
  0
  ProcessId
  0x2c4
  ProcessName
  C:\Windows\System32\lsass.exe
  IpAddress
  IpPort
  And the 1003 events:
  System
  Provider
  [ Name]
  Microsoft-Windows-Security-SPP
  [ Guid]
  {E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}
  [ EventSourceName]
  Software Protection Platform Service
  EventID
  1003
  [ Qualifiers]
  16384
  Version
  0
  Level
  4
  Task
  0
  Opcode
  0
  Keywords
  0x80000000000000
  TimeCreated
  [ SystemTime]
  2014-10-08T11:09:21.000000000Z
  EventRecordID
  7230
  Correlation
  Execution
  [ ProcessID]
  0
  [ ThreadID]
  0
  Channel
  Application
  Computer
  Server.MYSERVER.local
  Security
  EventData
  55c92734-d682-4d71-983e-d6ec3f16059f
  1: e96022a1-3247-4125-9ddc-4c6068ab3bfc, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/hwid/4.0 0x00000000 0)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]
  There are also a few 900, 902, 903 events. Any ideas what is happening? Everything seems to be running fine.

  Hi,
  The event 4625 indicates a computer account failed to logon. You could run NLTEST /SC_RESET:domain-name command with administrative credentials to check domain’s health.
  For more detailed information, please see:
  Audit Failure event ID 4625
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/audit-failure-event-id-4625?forum=winserversecurity
  You could also refer to the similar threads to troubleshoot the issue:
  numerous 4625 errors in the event log
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/c6b0d058-98d0-4572-8a72-e18e353b04fd/numerous-4625-errors-in-the-event-log?forum=winserversecurity
  Many Audit Failure Event ID 4625
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/8f7ebcf5-2310-42c3-9b6a-20205a6c17ef/many-audit-failure-event-id-4625?forum=winserveressentials
  Best Regards,
  Mandy 
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Hi,could someone tell me why I have payed today two times when I updated my creditcard informations due the security reason . I wanted download FREE app from appstore and I was invited uptade info of CC in my Apple account. 2x1.89EUROS!!!

  At first I have received this email:
  ===================================
  Hello,
  The following information for your Apple ID was updated on 09/09/2011:
  Shipping and/or billing address
  Phone number(s)
  If these changes were made in error, or if you believe an unauthorized person accessed your account, please reset your account password immediately by going toiforgot.apple.com.
  To review and update your security settings, sign in to appleid.apple.com.
  This is an automated message. Please do not reply to this email. If you need additional help, visit Apple Support.
  Thanks,
  Apple Customer Support
  =================================
  Than I wanted to download FREE application from AppStore and I was invited to confirm  my creditcard informations due the security reason. When I have done it, it automaticaly withdrawn from my creditcard 1.89 EUROS!! Today two times!!!  WHY????
  Thank you
  < Edited By Host >

  Thank you  friend for info

• Information on Business Process Monitoring

  Hello experts,
  I want to know if there is a way to monitor spool jobs in business process monitoring or other tool? I assume that I can monitor background jobs with BPMon but I don't find where I can monitor the content of the spool generated by the job?
  I read also that job management can monitor jobs, but for the task "monitoring", it refers to BPMon.
  Can you please tell me if I can do it? because I read in some doc that it is possible but no way to find how.
  Thank you in advance for your help.
  BR,
  Mohamed BOUSSAID

  Hello Mohamed,
  the job monitoring does not allow the monitoring of a spool file as it is an unstructured TemSe file. If you have important information to monitor you should write it into the job log and classify it via message class, message type and message number. Such structured information can be easily monitored via BPMon.
  Monitoring the content of a unstrucutred spool file which can easily get several MB is too performance expensive and hence not supported.
  Best Regards
  Volker

• CCMS information into the solution monitoring

  Hi, All
  In Soulation Manager 4.0 I created RFC connection using SMSY, in R3 System CCMS alerts (auto-reaction method) has been defined and getting alert e mails...
  My Question is how to I pull the CCMS information into the solution monitoring component?
  is anyone tell me step by step procedure....
  Thanks

  Thanks...
  I tried that but it show me that screen shot...
  basically earlywatch report is fine....
  you can check this url please
  http://www.flickr.com/photos/25222280@N03/2545315527/sizes/o/
  thanks

• 7600 w/ G3 use for security monitor

  I have a 7600 with A/V In/Outs,Sonnet G3 card, spare scsi card and lg HD. I would like to use this system or how can I convert this to securty monitor. Tank you in advance

  smart friendly,
  This is an easy one. Take a digital camera with a yellow av out plug, plug it into the video in port, open up Apple Video player and click on the camera. Turn the digital camera on and the viewfinder becomes a low res video camera. The camera is the lense and the hard drive becomes your tape. Fun to play with. Try it.
  As for long term taping as a security monitor? A standard vcr still works best. Just found surveillance cameras for $25 at my favorite electric surplus supply shop. Find someone who is upgrading their system and pick up the outdated stuff cheap.
  Jim

• Windows 2008 R2, Internet Information Services: Changing security settings to change a folder's content by using PHP

  Hello,
  I would like to ask if somebody's there who could help me:
  I am a PHP developer from Stuttgart, Germany.
  In my PHP web application I want to edit text files by using PHP code.
  These files are created once (by me), so they exist before the PHP application is used by any web user.
  My PHP code reads out some text files and other text files' contents are changed.
  In my developer's environment (Windows XP, XAMPP) it works fine.
  So I'm sure my code is OK.
  But the productive system ist a windows server system (Windows 2008 R2 and Internet Information Services).
  And here it doesn't work! The text files' contents aren't changed.
  I know on windows based webserver systems I have to change the folders security settings
  (what I mean: the folders where the text files are placed). I must give the IIS system user (in the past it's name was IUSR..., now it is named otherwise) additional rights, so that it can change folders content.
  I did. But it doesn't work.
  Some years ago when we used Windows Server 2003 that was the solution that worked.
  Giving the IUSR right to change folders content. That was it.
  But what is new in Windows Server 2008 that it doesn't work?
  I think it must be very complicated. Could somebody help me?
  Thanks
  Tommy

  Hi,
  This is IIS related issue, so you may post in the IIS forum.
  And it seems like that you have already post there, please follow it up to get further assistance
  http://forums.iis.net/t/1208164.aspx?Windows+2008+R2+Internet+Information+Services+Changing+security+settings+to+change+a+folder+s+content+by+using+PHP
  Regards,
  Yan Li
  Regards, Yan Li

• ArchSentrix - remote security monitoring solution

  What  ArchSentrix is.
  A free software based platform for remote security monitoring enabling the integration of video surveillance with networking and telephone technology.
  Built on Arch Linux, a lightweight and flexible i686 optimized linux distribution.
  Video monitoring, recording, motion detection and remote access is handled by ZoneMinder, an integrated set of applications built on LAMP.
  Telephone capabilities are provided by Asterisk, allowing use of both voip and analog (POTS) technology.
  A livecd / liveusb installer solution that can be customized endlessly to suit the needs of users or their clients.
  Post installation configuration, maintainance, and user access can preferably be done remotely using a web browser interface. However a lightweight graphical desktop user environment is provided making the system self contained if needed.
  http://www.ctu-web.com/archsentrix/
  http://www.ctu-web.com/archsentrix/iso/ … .1.iso.md5
  http://www.ctu-web.com/archsentrix/iso/ … ix-0.1.iso

  Does ZoneMinder work with IP cameras?
  Yes indeed. Axis cameras are very well supported, including PTZ features.

• Warning Event ID 6006 & 6005 and Information Event ID 6000 & 6003

  Warning Event ID 6006 & 6005 and Information Event ID 6000 & 6003
  Hi,
  Would greatly appreciate if someone can advise me on the following warning & info event id I keep getting:
  I am running two AD (Std 2012) on two hyperv servers.  Noticed the events but I a able to join domain and login to AD on other member servers.  What could be the cause?
  Event ID 6006
  The winlogon subscriber <GP Client> took 67 seconds to handle the notification event (CreateSession).
  Event ID 6005
  The winlogon notification subscriber <GP Client. is taking long time to handle the notification event (CreateSession).
  Event ID 6000
  The winlogon notification subscriber <AUINstallerAgent> was unavailable to handle a notification event. 
  The winlogon notification subscriber <SessionEnv> was unavailable to handle a notification event.  
  Event ID 6003
  The winlogon notification subscriber <AUInstallAgent> was unavailable to handle a critical notification event. 
  The winlogon notification subscriber <SessionEnv> was unavailable to handle a critical notification event.  

  Hi Shannlms,
  Would you please let us know current situation of this issue?
  Regarding to those events, please refer to following threads and check if can help you.
  Event ID 6000 — Windows Logon Availability
  Event ID 6003 — Windows Logon Availability
  Event ID: 6005
  Source: Winlogon
  Event
  ID: 6006 Source: Microsoft-Windows-Winlogon
  In addition, would you please let me confirm whether there are some logon scripts applied to the server? Please
  check again. Thanks for your understanding.
  On Windows Server 2012 Standard, please run
  sfc /scannow command to scan all protected system files. Meanwhile, please start the server in safe mode and check if this issue still persists.
  If any update, please feel free to let us know.
  Hope this helps.
  Best regards,
  Justin Gu

• I would like to find out more information about certain security updates before I apply it.

  In the Software update window, it said that "or information on the security content of this update, please visit this website: http://support.apple.com/kb/HT1222".
  I went to that website and there is no information about this update.  It just shows the general info about all updates ....

  Scroll down the page to the table, select the relevant update and click the blue text in the left column to be taken to  the page with specific info for that update.

• Wait events and locks monitoring /resolving scripts

  Looking for wait events and locks monitoring /resolving scripts /tips.

  Hi,
  Looking for wait events and locks monitoring /resolving scriptsHere is the collection of monitoring scripts that I
  use, and it has dozens of scripts for locking:
  http://www.oracle-script.com
  For one-off scripts, here is a script by Laurent Baylac to show locks in Oracle 10g:
  http://www.dba-village.com/village/dvp_scripts.ScriptDetails?ScriptIdA=3508
  SET LINESIZE 500
  SET PAGESIZE 1000
  COLUMN username FORMAT A15
  COLUMN machine FORMAT A25
  COLUMN logon_time FORMAT A20
  SELECT LPAD(' ', (level-1)*2, ' ') || NVL(s.username, '(oracle)') AS username,
  s.osuser,
  s.sid,
  s.serial#,
  s.lockwait,
  s.status,
  s.module,
  s.machine,
  s.program,
  TO_CHAR(s.logon_Time,'DD-MON-YYYY HH24:MI:SS') AS logon_time
  FROM v$session s
  CONNECT BY PRIOR s.sid = s.blocking_session
  START WITH s.blocking_session IS NULL;
  SET PAGESIZE 14
  -- Search for locked objects
  -- To be executed under the SYSTEM account
  -- Compatible with Oracle10.1.x and higher
  select
  distinct to_name object_locked
  from
  v$object_dependency
  where
  to_address in
  select /*+ ordered */
  w.kgllkhdl address
  from
  dba_kgllock w,
  dba_kgllock h,
  v$session w1,
  v$session h1
  where
  (((h.kgllkmod != 0) and (h.kgllkmod != 1)
  and ((h.kgllkreq = 0) or (h.kgllkreq = 1)))
  and
  (((w.kgllkmod = 0) or (w.kgllkmod= 1))
  and ((w.kgllkreq != 0) and (w.kgllkreq != 1))))
  and w.kgllktype = h.kgllktype
  and w.kgllkhdl = h.kgllkhdl
  and w.kgllkuse = w1.saddr
  and h.kgllkuse = h1.saddr
  Don Burleson
  Oracle Press author

• In vms 2.3 with security monitor 2.2 all signature is showing as false

  Hi,
  We are having cisco IPS 4255 with IPS version 5.1.1 and latest signature. We are connected IPS is in promiscuous mode and we are seeing all the signature are false in security monitor 2.2. Please help me to overcome from this problem.
  Regards,
  Ram

  Where are you seeing this? What does it mean by saying that a signature is "false"? Are you referring to false positives that the signatures fire?

• CiscoWorks VMS Security Monitor competed reports fail to email

  Windows Server 2000
  VMS 2.2
  SecMon 2.2
  We periodically have an issue with CiscoWorks VMS Security Monitor Reporting where VMS will stop emailing completed reports. In the past when we reboot the server the email which has been queued up somewhere all gets delivered and the email delivery will work for a few months until it stops again. We rebooted the server this time and the completed reports emails are still not being delivered.
  When I test email functionality from the Windows command prompt with blat I can send email from the system through the mail server to my email address. All of the CiscoWorks processes are running without errors.
  Where else can I look to troubleshoot this issue?
  Thanks in advance

  There might be probelm in contacting mail server configured in SecMon
  See this URL for Configuring the E-mail Notifications with Scripts for IDS Alerts Using CiscoWorks Monitoring Center for Security:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#maintask1