3 Replies Latest reply on Feb 3, 2014 9:44 AM by michiel

    MEF agent changes event subtype 'failure' into 'success'

    michiel

      Using the MEF agent (latest version WindowsEventCollectorInstaller_x86_9.13.27208.420) we have noticed that the event 'Kerberos pre-authentication failed', is changed from failure into success by the MEF agent.

      When we look in the Windows event log we see subtype failure and when we add the windows server using WMI, we get the subtype ok ('failure'). When we use MEF, it got changed into 'success' and the correlation rules are therefor not triggerd.

       

      The previous version of the MEF had the same problem.

       

      Has anyone has simular experience or a solution?

       

      Regards,

       

      Michiel

       

      Message was edited by: michiel on 1/23/14 7:01:44 AM CST
        • 1. Re: MEF agent changes event subtype 'failure' into 'success'
          JohnStark

          Michiel,

           

          This may not be the solution but there is actually a version 10.00.28204.761 of MFE SIEM collector.  We were told by Mcafee Support to use for getting logs from some Windows servers.  We did not have a data intergity problem but could not even parse the data.

           

           

          John

          • 2. Re: MEF agent changes event subtype 'failure' into 'success'
            michielm

            Thanks John,

            I'll try to get hold of it and try it anyway.

             

            Michiel

            • 3. Re: MEF agent changes event subtype 'failure' into 'success'
              michiel

              I have installed MEF version 10.00.28204.761. This version gives the same results:

               

              FirstTimeLastTimeCountSeveritySigIDDescriptionActionSrcIPSrcPortSrcMacDstIPDstPortDstMacProtocolVLANNormIDAppHostDomainUsrSrcUsrDstDevSrcIFaceSrcDevDstIFaceDstRem CaseRem OffsetRem UserCommandObjectSeqTrustedSessionIdASNGeoSrcASNGeoDstFlowIDGUIDSrcGUIDDstUsrDef1TypeUsrDef1DataUsrDef2TypeUsrDef2DataUsrDef3TypeUsrDef3DataUsrDef4TypeUsrDef4DataUsrDef5TypeUsrDef5DataUsrDef6TypeUsrDef6DataUsrDef7TypeUsrDef7DataUsrDef8TypeUsrDef8DataUsrDef9TypeUsrDef9DataUsrDef10TypeUsrDef10DataUsrDef21TypeUsrDef21DataUsrDef22TypeUsrDef22DataUsrDef23TypeUsrDef23DataUsrDef24TypeUsrDef24DataUsrDef25TypeUsrDef25DataUsrDef26TypeUsrDef26DataUsrDef27TypeUsrDef27DataAgg1NameAgg1ValueAgg2NameAgg2ValueAgg3NameAgg3ValueNote
              2014/02/03 16:35:352014/02/03 16:35:3515343-263047710Kerberos pre-authentication failed.failurexxxx4948300:00:00:00:00:00xxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/adxxxxad.localxxxx0pre-authentication information was invalid0200AppIDkrbtgt/adCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
              2014/02/03 16:19:562014/02/03 16:19:5615343-263047710Kerberos pre-authentication failed.successxxxx5990600:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/ad.localxxxxad.localxxx0pre-authentication information was invalid0200AppIDkrbtgt/ad.localCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
              2014/02/03 13:25:532014/02/03 13:25:5315343-263047710Kerberos pre-authentication failed.failurexxxx6065200:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/adxxxxad.localxxx0pre-authentication information was invalid0200AppIDkrbtgt/adCommandIDpre-authentication information was invalidDomainIDad.localHostIDms-dro-dc01.ad.localUserIDSrc0.00000000000000E+0000.00000000000000E+0000.00000000000000E+000
              2014/02/03 12:45:292014/02/03 12:45:2915343-263047710Kerberos pre-authentication failed.failurexxxx4523500:00:00:00:00:00xxxxport/code:000:00:00:00:00:00HOPOPT0409223168krbtgt/ad.localxxxxad.localxxxx

               

              Has anyone experience with possible alternatives of the MEF agent?

              Kind regards,

               

              Michiel