cancel
Showing results for 
Search instead for 
Did you mean: 

MEF agent changes event subtype 'failure' into 'success'

Using the MEF agent (latest version WindowsEventCollectorInstaller_x86_9.13.27208.420) we have noticed that the event 'Kerberos pre-authentication failed', is changed from failure into success by the MEF agent.

When we look in the Windows event log we see subtype failure and when we add the windows server using WMI, we get the subtype ok ('failure'). When we use MEF, it got changed into 'success' and the correlation rules are therefor not triggerd.

The previous version of the MEF had the same problem.

Has anyone has simular experience or a solution?

Regards,

Michiel

Message was edited by: michiel on 1/23/14 7:01:44 AM CST
3 Replies

Re: MEF agent changes event subtype 'failure' into 'success'

Michiel,

This may not be the solution but there is actually a version 10.00.28204.761 of MFE SIEM collector.  We were told by Mcafee Support to use for getting logs from some Windows servers.  We did not have a data intergity problem but could not even parse the data.

John

Re: MEF agent changes event subtype 'failure' into 'success'

Thanks John,

I'll try to get hold of it and try it anyway.

Michiel

Re: MEF agent changes event subtype 'failure' into 'success'

I have installed MEF version 10.00.28204.761. This version gives the same results:

FirstTimeLastTimeCountSeveritySigIDDescriptionActionSrcIPSrcPortSrcMacDstIPDstPortDstMacProtocolVLANNormIDAppHostDomainUsrSrcUsrDstDevSrcIFaceSrcDevDstIFaceDstRem CaseRem OffsetRem UserCommandObjectSeqTrustedSessionIdASNGeoSrcASNGeoDstFlowIDGUIDSrcGUIDDstUsrDef1TypeUsrDef1DataUsrDef2TypeUsrDef2DataUsrDef3TypeUsrDef3DataUsrDef4TypeUsrDef4DataUsrDef5TypeUsrDef5DataUsrDef6TypeUsrDef6DataUsrDef7TypeUsrDef7DataUsrDef8TypeUsrDef8DataUsrDef9TypeUsrDef9DataUsrDef10TypeUsrDef10DataUsrDef21TypeUsrDef21DataUsrDef22TypeUsrDef22DataUsrDef23TypeUsrDef23DataUsrDef24TypeUsrDef24DataUsrDef25TypeUsrDef25DataUsrDef26TypeUsrDef26DataUsrDef27TypeUsrDef27DataAgg1NameAgg1ValueAgg2NameAgg2ValueAgg3NameAgg3ValueNote
2014/02/03 16:35:352014/02/03 16:35:3515343-263047710Kerberos pre-authentication failed.failurexxxx4948300:00:00:00:00:00xxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/adxxxxad.localxxxx0pre-authentication information was invalid0200AppIDkrbtgt/adCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
2014/02/03 16:19:562014/02/03 16:19:5615343-263047710Kerberos pre-authentication failed.successxxxx5990600:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/ad.localxxxxad.localxxx0pre-authentication information was invalid0200AppIDkrbtgt/ad.localCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
2014/02/03 13:25:532014/02/03 13:25:5315343-263047710Kerberos pre-authentication failed.failurexxxx6065200:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/adxxxxad.localxxx0pre-authentication information was invalid0200AppIDkrbtgt/adCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
2014/02/03 12:45:292014/02/03 12:45:2915343-263047710Kerberos pre-authentication failed.failurexxxx4523500:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/ad.localxxxxad.localxxxx

Has anyone experience with possible alternatives of the MEF agent?

Kind regards,

Michiel