Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- DELETE FROM plugin where id = '22000';
- DELETE FROM plugin_sid where plugin_id = '22000';
- INSERT IGNORE INTO plugin(id, type, name, description) VALUES(22000, 1, "Wazuh", "Wazuh host and endpoint security");
- INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, subcategory_id, class_id, reliability, priority, name) VALUES
- (22000, 1, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all syslog rules."),
- (22000, 2, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all firewall rules."),
- (22000, 3, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all ids rules."),
- (22000, 4, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all web rules."),
- (22000, 5, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all web proxy rules."),
- (22000, 6, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all windows rules."),
- (22000, 7, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all ossec rules."),
- (22000, 500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of ossec rules."),
- (22000, 501, 15, 173, NULL, 1, 1, "Wazuh - New ossec agent connected."),
- (22000, 502, 15, 173, NULL, 1, 1, "Wazuh - Ossec server started."),
- (22000, 503, 15, 173, NULL, 1, 1, "Wazuh - Ossec agent started."),
- (22000, 504, 15, 173, NULL, 1, 1, "Wazuh - Ossec agent disconnected."),
- (22000, 509, 15, 173, NULL, 1, 1, "Wazuh - Rootcheck event."),
- (22000, 510, 15, 173, NULL, 1, 1, "Wazuh - Host-based anomaly detection event (rootcheck)."),
- (22000, 511, 15, 173, NULL, 1, 1, "Wazuh - Ignored common NTFS ADS entries."),
- (22000, 512, 15, 173, NULL, 1, 1, "Wazuh - Windows Audit event."),
- (22000, 513, 15, 173, NULL, 1, 1, "Wazuh - Windows malware detected."),
- (22000, 514, 15, 173, NULL, 1, 1, "Wazuh - Windows application monitor event."),
- (22000, 515, 15, 173, NULL, 1, 1, "Wazuh - Ignoring rootcheck/syscheck scan messages."),
- (22000, 516, 15, 173, NULL, 1, 1, "Wazuh - System Audit event."),
- (22000, 518, 15, 173, NULL, 1, 1, "Wazuh - Windows Adware/Spyware application found."),
- (22000, 519, 15, 173, NULL, 1, 1, "Wazuh - System Audit: Vulnerable web application found."),
- (22000, 520, 15, 173, NULL, 1, 1, "Wazuh - Trying to add an agent with duplicated IP."),
- (22000, 530, 15, 173, NULL, 1, 1, "Wazuh - OSSEC process monitoring rules."),
- (22000, 531, 15, 173, NULL, 1, 1, "Wazuh - Partition usage reached 100% (disk space monitor)."),
- (22000, 532, 15, 173, NULL, 1, 1, "Wazuh - Ignoring external medias."),
- (22000, 533, 15, 173, NULL, 1, 1, "Wazuh - Listened ports status (netstat) changed (new port opened or closed)."),
- (22000, 534, 15, 173, NULL, 1, 1, "Wazuh - List of logged in users. It will not be alerted by default."),
- (22000, 535, 15, 173, NULL, 1, 1, "Wazuh - List of the last logged in users."),
- (22000, 550, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed."),
- (22000, 551, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed again (2nd time)."),
- (22000, 552, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed again (3rd time)."),
- (22000, 553, 15, 173, NULL, 1, 1, "Wazuh - File deleted. Unable to retrieve checksum."),
- (22000, 554, 15, 173, NULL, 1, 1, "Wazuh - File added to the system."),
- (22000, 555, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum for agentless device changed."),
- (22000, 580, 15, 173, NULL, 1, 1, "Wazuh - Host information changed."),
- (22000, 581, 15, 173, NULL, 1, 1, "Wazuh - Host information added."),
- (22000, 591, 15, 173, NULL, 1, 1, "Wazuh - Log file rotated."),
- (22000, 592, 15, 173, NULL, 1, 1, "Wazuh - Log file size reduced."),
- (22000, 593, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Event log cleared."),
- (22000, 594, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed"),
- (22000, 595, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed Again (2nd time)"),
- (22000, 596, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed Again (3rd time)"),
- (22000, 597, 15, 173, NULL, 1, 1, "Wazuh - Registry Entry Deleted. Unable to Retrieve Checksum"),
- (22000, 598, 15, 173, NULL, 1, 1, "Wazuh - Registry Entry Added to the System"),
- (22000, 600, 15, 173, NULL, 1, 1, "Wazuh - Active Response Messages Grouped"),
- (22000, 601, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by firewall-drop.sh Active Response"),
- (22000, 602, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by firewall-drop.sh Active Response"),
- (22000, 603, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by host-deny.sh Active Response"),
- (22000, 604, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by host-deny.sh Active Response"),
- (22000, 605, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by $(script) Active Response"),
- (22000, 606, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by $(script) Active Response"),
- (22000, 607, 15, 173, NULL, 1, 1, "Wazuh - Active response: $(script) - $(type)"),
- (22000, 700, 15, 173, NULL, 1, 1, "Wazuh - Logcollector Messages Grouped"),
- (22000, 701, 15, 173, NULL, 1, 1, "Wazuh - Ignore informational messages (usually at startup)"),
- (22000, 200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of wazuh rules."),
- (22000, 201, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue rule"),
- (22000, 202, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is $(level) full."),
- (22000, 203, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is full. Events may be lost."),
- (22000, 204, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is flooded. Check the agent configuration."),
- (22000, 205, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is back to normal load."),
- (22000, 1001, 15, 173, NULL, 1, 1, "Wazuh - File missing. Root access unrestricted."),
- (22000, 1002, 15, 173, NULL, 1, 1, "Wazuh - Unknown problem somewhere in the system."),
- (22000, 1003, 15, 173, NULL, 1, 1, "Wazuh - Non standard syslog message (size too large)."),
- (22000, 1004, 15, 173, NULL, 1, 1, "Wazuh - Syslogd exiting (logging stopped)."),
- (22000, 1005, 15, 173, NULL, 1, 1, "Wazuh - Syslogd restarted."),
- (22000, 1006, 15, 173, NULL, 1, 1, "Wazuh - Syslogd restarted."),
- (22000, 1007, 15, 173, NULL, 1, 1, "Wazuh - File system full."),
- (22000, 1008, 15, 173, NULL, 1, 1, "Wazuh - Process exiting (killed)."),
- (22000, 1009, 15, 173, NULL, 1, 1, "Wazuh - Ignoring known false positives on rule 1002.."),
- (22000, 2100, 15, 173, NULL, 1, 1, "Wazuh - NFS rules grouped."),
- (22000, 2101, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS share."),
- (22000, 2102, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS directory."),
- (22000, 2103, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS directory."),
- (22000, 2104, 15, 173, NULL, 1, 1, "Wazuh - Automount informative message"),
- (22000, 2301, 15, 173, NULL, 1, 1, "Wazuh - xinetd: Excessive number connections to a service."),
- (22000, 2501, 15, 173, NULL, 1, 1, "Wazuh - syslog: User authentication failure."),
- (22000, 2502, 15, 173, NULL, 1, 1, "Wazuh - syslog: User missed the password more than one time"),
- (22000, 2503, 15, 173, NULL, 1, 1, "Wazuh - syslog: Connection blocked by Tcp Wrappers."),
- (22000, 2504, 15, 173, NULL, 1, 1, "Wazuh - syslog: Illegal root login. "),
- (22000, 2505, 15, 173, NULL, 1, 1, "Wazuh - syslog: Physical root login."),
- (22000, 2506, 15, 173, NULL, 1, 1, "Wazuh - syslog: Pop3 Authentication passed."),
- (22000, 2507, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP group."),
- (22000, 2508, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP connection open."),
- (22000, 2509, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP authentication failed."),
- (22000, 2550, 15, 173, NULL, 1, 1, "Wazuh - rshd messages grouped."),
- (22000, 2551, 15, 173, NULL, 1, 1, "Wazuh - Connection to rshd from unprivileged port. Possible network scan."),
- (22000, 2701, 15, 173, NULL, 1, 1, "Wazuh - Ignoring procmail messages."),
- (22000, 2800, 15, 173, NULL, 1, 1, "Wazuh - Pre-match rule for smartd."),
- (22000, 2801, 15, 173, NULL, 1, 1, "Wazuh - Smartd Started but not configured"),
- (22000, 2802, 15, 173, NULL, 1, 1, "Wazuh - Smartd configuration problem"),
- (22000, 2803, 15, 173, NULL, 1, 1, "Wazuh - Device configured but not available to Smartd"),
- (22000, 5100, 15, 173, NULL, 1, 1, "Wazuh - Pre-match rule for kernel messages"),
- (22000, 5101, 15, 173, NULL, 1, 1, "Wazuh - Informative message from the kernel."),
- (22000, 5102, 15, 173, NULL, 1, 1, "Wazuh - Informative message from the kernel"),
- (22000, 5103, 15, 173, NULL, 1, 1, "Wazuh - Error message from the kernel. Ping of death attack."),
- (22000, 5104, 15, 173, NULL, 1, 1, "Wazuh - Interface entered in promiscuous(sniffing) mode."),
- (22000, 5105, 15, 173, NULL, 1, 1, "Wazuh - Invalid request to /dev/fd0 (bug on the kernel)."),
- (22000, 5106, 15, 173, NULL, 1, 1, "Wazuh - NFS incompability between Linux and Solaris."),
- (22000, 5107, 15, 173, NULL, 1, 1, "Wazuh - NFS incompability between Linux and Solaris."),
- (22000, 5108, 15, 173, NULL, 1, 1, "Wazuh - System running out of memory. Availability of the system is in risk."),
- (22000, 5109, 15, 173, NULL, 1, 1, "Wazuh - Kernel Input/Output error"),
- (22000, 5110, 15, 173, NULL, 1, 1, "Wazuh - IRC misconfiguration"),
- (22000, 5111, 15, 173, NULL, 1, 1, "Wazuh - Kernel device error."),
- (22000, 5112, 15, 173, NULL, 1, 1, "Wazuh - Kernel usbhid probe error (ignored)."),
- (22000, 5113, 15, 173, NULL, 1, 1, "Wazuh - System is shutting down."),
- (22000, 5130, 15, 173, NULL, 1, 1, "Wazuh - Monitor ADSL line is down."),
- (22000, 5131, 15, 173, NULL, 1, 1, "Wazuh - Monitor ADSL line is up."),
- (22000, 5200, 15, 173, NULL, 1, 1, "Wazuh - Ignoring hpiod for producing useless logs."),
- (22000, 2830, 15, 173, NULL, 1, 1, "Wazuh - Crontab rule group."),
- (22000, 2831, 15, 173, NULL, 1, 1, "Wazuh - Wrong crond configuration"),
- (22000, 2834, 15, 173, NULL, 1, 1, "Wazuh - Crontab opened for editing."),
- (22000, 2832, 15, 173, NULL, 1, 1, "Wazuh - Crontab entry changed."),
- (22000, 2833, 15, 173, NULL, 1, 1, "Wazuh - Root's crontab entry changed."),
- (22000, 5300, 15, 173, NULL, 1, 1, "Wazuh - Initial grouping for su messages."),
- (22000, 5301, 15, 173, NULL, 1, 1, "Wazuh - User missed the password to change UID (user id)."),
- (22000, 5302, 15, 173, NULL, 1, 1, "Wazuh - User missed the password to change UID to root."),
- (22000, 5303, 15, 173, NULL, 1, 1, "Wazuh - User successfully changed UID to root."),
- (22000, 5304, 15, 173, NULL, 1, 1, "Wazuh - User successfully changed UID."),
- (22000, 5305, 15, 173, NULL, 1, 1, "Wazuh - First time (su) is executed by user."),
- (22000, 5306, 15, 173, NULL, 1, 1, "Wazuh - A user has attempted to su to an unknown class."),
- (22000, 7101, 15, 173, NULL, 1, 1, "Wazuh - Problems with the tripwire checking"),
- (22000, 5901, 15, 173, NULL, 1, 1, "Wazuh - New group added to the system"),
- (22000, 5902, 15, 173, NULL, 1, 1, "Wazuh - New user added to the system"),
- (22000, 5903, 15, 173, NULL, 1, 1, "Wazuh - Group (or user) deleted from the system"),
- (22000, 5904, 15, 173, NULL, 1, 1, "Wazuh - Information from the user was changed"),
- (22000, 5905, 15, 173, NULL, 1, 1, "Wazuh - useradd failed."),
- (22000, 5400, 15, 173, NULL, 1, 1, "Wazuh - Initial group for sudo messages"),
- (22000, 5401, 15, 173, NULL, 1, 1, "Wazuh - Failed attempt to run sudo"),
- (22000, 5402, 15, 173, NULL, 1, 1, "Wazuh - Successful sudo to ROOT executed"),
- (22000, 5403, 15, 173, NULL, 1, 1, "Wazuh - First time user executed sudo."),
- (22000, 5404, 15, 173, NULL, 1, 1, "Wazuh - Three failed attempts to run sudo"),
- (22000, 5405, 15, 173, NULL, 1, 1, "Wazuh - Unauthorized user attempted to use sudo."),
- (22000, 9100, 15, 173, NULL, 1, 1, "Wazuh - PPTPD messages grouped"),
- (22000, 9101, 15, 173, NULL, 1, 1, "Wazuh - PPTPD failed message (communication error)"),
- (22000, 9102, 15, 173, NULL, 1, 1, "Wazuh - PPTPD communication error"),
- (22000, 10100, 15, 173, NULL, 1, 1, "Wazuh - First time user logged in."),
- (22000, 9200, 15, 173, NULL, 1, 1, "Wazuh - Squid syslog messages grouped"),
- (22000, 9201, 15, 173, NULL, 1, 1, "Wazuh - Squid debug message"),
- (22000, 2900, 15, 173, NULL, 1, 1, "Wazuh - Dpkg (Debian Package) log."),
- (22000, 2901, 15, 173, NULL, 1, 1, "Wazuh - New dpkg (Debian Package) requested to install."),
- (22000, 2902, 15, 173, NULL, 1, 1, "Wazuh - New dpkg (Debian Package) installed."),
- (22000, 2903, 15, 173, NULL, 1, 1, "Wazuh - Dpkg (Debian Package) removed."),
- (22000, 2930, 15, 173, NULL, 1, 1, "Wazuh - Yum logs."),
- (22000, 2931, 15, 173, NULL, 1, 1, "Wazuh - Yum logs."),
- (22000, 2932, 15, 173, NULL, 1, 1, "Wazuh - New Yum package installed."),
- (22000, 2933, 15, 173, NULL, 1, 1, "Wazuh - Yum package updated."),
- (22000, 2934, 15, 173, NULL, 1, 1, "Wazuh - Yum package deleted."),
- (22000, 2935, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the mptscrih rules."),
- (22000, 2936, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the mptbase rules."),
- (22000, 2937, 15, 173, NULL, 1, 1, "Wazuh - Posible Disk failure. SCSI controller error."),
- (22000, 2938, 15, 173, NULL, 1, 1, "Wazuh - SCSI RAID ARRAY ERROR, drive failed."),
- (22000, 2939, 15, 173, NULL, 1, 1, "Wazuh - SCSI RAID is now in a degraded status."),
- (22000, 2940, 15, 173, NULL, 1, 1, "Wazuh - NetworkManager grouping."),
- (22000, 2941, 15, 173, NULL, 1, 1, "Wazuh - Incorrect chain/target/match."),
- (22000, 2942, 15, 173, NULL, 1, 1, "Wazuh - Uninteresting gnome error."),
- (22000, 2943, 15, 173, NULL, 1, 1, "Wazuh - nouveau driver grouping"),
- (22000, 2944, 15, 173, NULL, 1, 1, "Wazuh - Uninteresting nouveau error."),
- (22000, 2945, 15, 173, NULL, 1, 1, "Wazuh - rsyslog may be dropping messages due to rate-limiting."),
- (22000, 2960, 15, 173, NULL, 1, 1, "Wazuh - User added to group."),
- (22000, 2961, 15, 173, NULL, 1, 1, "Wazuh - User added to group sudo."),
- (22000, 3100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the sendmail rules."),
- (22000, 3101, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the sendmail reject rules."),
- (22000, 3102, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain does not have any valid MX record (Requested action aborted)."),
- (22000, 3103, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Rejected by access list (55x: Requested action not taken)."),
- (22000, 3104, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Attepmt to use mail server as relay (550: Requested action not taken)."),
- (22000, 3105, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain is not found (553: Requested action not taken)."),
- (22000, 3106, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender address does not have domain (553: Requested action not taken)."),
- (22000, 3107, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail rejected message."),
- (22000, 3108, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail rejected due to pre-greeting."),
- (22000, 3109, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail save mail panic."),
- (22000, 3151, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain has bogus MX record. It should not be sending e-mail."),
- (22000, 3152, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."),
- (22000, 3153, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple relaying attempts of spam."),
- (22000, 3154, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."),
- (22000, 3155, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from invalid/unknown sender."),
- (22000, 3156, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple rejected e-mails from same source ip."),
- (22000, 3158, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple pre-greetings rejects."),
- (22000, 3190, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the smf-sav sendmail milter rules."),
- (22000, 3191, 15, 173, NULL, 1, 1, "Wazuh - sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."),
- (22000, 3300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix reject rules."),
- (22000, 3301, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Attempt to use mail server as relay (client host rejected)."),
- (22000, 3302, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Rejected by access list (Requested action not taken)."),
- (22000, 3303, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Sender domain is not found (450: Requested mail action not taken)."),
- (22000, 3304, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."),
- (22000, 3305, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Receipent address must contain FQDN (504: Command parameter not implemented)."),
- (22000, 3306, 15, 173, NULL, 1, 1, "Wazuh - Postfix: IP Address black-listed by anti-spam (blocked)."),
- (22000, 3320, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix rules."),
- (22000, 3330, 15, 173, NULL, 1, 1, "Wazuh - Postfix process error."),
- (22000, 3332, 15, 173, NULL, 1, 1, "Wazuh - Postfix SASL authentication failure."),
- (22000, 3331, 15, 173, NULL, 1, 1, "Wazuh - Postfix insufficient disk space error."),
- (22000, 3334, 15, 173, NULL, 1, 1, "Wazuh - Postfix started."),
- (22000, 3335, 15, 173, NULL, 1, 1, "Wazuh - Postfix: too many errors after RCPT from unkown"),
- (22000, 3333, 15, 173, NULL, 1, 1, "Wazuh - Postfix stopped."),
- (22000, 3351, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple relaying attempts of spam."),
- (22000, 3352, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."),
- (22000, 3353, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."),
- (22000, 3354, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple misuse of SMTP service (bad sequence of commands)."),
- (22000, 3355, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."),
- (22000, 3356, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."),
- (22000, 3357, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple SASL authentication failures."),
- (22000, 3390, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the clamsmtpd rules."),
- (22000, 3395, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix warning rules."),
- (22000, 3396, 15, 173, NULL, 1, 1, "Wazuh - Postfix: hostname verification failed"),
- (22000, 3397, 15, 173, NULL, 1, 1, "Wazuh - Postfix: RBL lookup error: Host or domain name not found"),
- (22000, 3398, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Illegal address from unknown sender"),
- (22000, 3399, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Ignore permission warning"),
- (22000, 3500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the spamd rules"),
- (22000, 3501, 15, 173, NULL, 1, 1, "Wazuh - SPAMD result message (not very usefull here)."),
- (22000, 3502, 15, 173, NULL, 1, 1, "Wazuh - Spamd debug event (reading message)."),
- (22000, 3600, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the imapd rules."),
- (22000, 3601, 15, 173, NULL, 1, 1, "Wazuh - Imapd user login failed."),
- (22000, 3602, 15, 173, NULL, 1, 1, "Wazuh - Imapd user login."),
- (22000, 3603, 15, 173, NULL, 1, 1, "Wazuh - Imapd user logout."),
- (22000, 3651, 15, 173, NULL, 1, 1, "Wazuh - Imapd Multiple failed logins from same source ip."),
- (22000, 3700, 15, 173, NULL, 1, 1, "Wazuh - Grouping of mailscanner rules."),
- (22000, 3701, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: Non spam message. Ignored."),
- (22000, 3702, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: spam detected."),
- (22000, 3751, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: Multiple attempts of spam."),
- (22000, 3800, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Exchange rules."),
- (22000, 3801, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: E-mail rcpt is not valid (invalid account)."),
- (22000, 3802, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: E-mail 500 error code."),
- (22000, 3851, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: Multiple e-mail attempts to an invalid account."),
- (22000, 3852, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: Multiple e-mail 500 error code (spam)."),
- (22000, 3900, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the courier rules."),
- (22000, 3901, 15, 173, NULL, 1, 1, "Wazuh - New courier (imap/pop3) connection."),
- (22000, 3902, 15, 173, NULL, 1, 1, "Wazuh - Courier (imap/pop3) authentication failed."),
- (22000, 3903, 15, 173, NULL, 1, 1, "Wazuh - Courier logout/timeout."),
- (22000, 3904, 15, 173, NULL, 1, 1, "Wazuh - Courier (imap/pop3) authentication success."),
- (22000, 3910, 15, 173, NULL, 1, 1, "Wazuh - Courier brute force (multiple failed logins)."),
- (22000, 3911, 15, 173, NULL, 1, 1, "Wazuh - Courier: Multiple connection attempts from same source."),
- (22000, 4100, 15, 173, NULL, 1, 1, "Wazuh - Firewall rules grouped."),
- (22000, 4101, 15, 173, NULL, 1, 1, "Wazuh - Firewall drop event."),
- (22000, 4151, 15, 173, NULL, 1, 1, "Wazuh - Multiple Firewall drop events from same source."),
- (22000, 4300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of PIX rules"),
- (22000, 4310, 15, 173, NULL, 1, 1, "Wazuh - PIX alert message."),
- (22000, 4311, 15, 173, NULL, 1, 1, "Wazuh - PIX critical message."),
- (22000, 4312, 15, 173, NULL, 1, 1, "Wazuh - PIX error message."),
- (22000, 4313, 15, 173, NULL, 1, 1, "Wazuh - PIX warning message."),
- (22000, 4314, 15, 173, NULL, 1, 1, "Wazuh - PIX notification/informational message."),
- (22000, 4315, 15, 173, NULL, 1, 1, "Wazuh - PIX debug message."),
- (22000, 4321, 15, 173, NULL, 1, 1, "Wazuh - PIX: Failed login attempt."),
- (22000, 4322, 15, 173, NULL, 1, 1, "Wazuh - PIX: Privilege changed."),
- (22000, 4323, 15, 173, NULL, 1, 1, "Wazuh - PIX: Successful login."),
- (22000, 4324, 15, 173, NULL, 1, 1, "Wazuh - PIX: Password mismatch while running 'enable' on the PIX."),
- (22000, 4325, 15, 173, NULL, 1, 1, "Wazuh - PIX: ARP collision detected."),
- (22000, 4326, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attempt to connect from a blocked (shunned) IP."),
- (22000, 4327, 15, 173, NULL, 1, 1, "Wazuh - PIX: Connection limit exceeded."),
- (22000, 4330, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
- (22000, 4331, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
- (22000, 4332, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
- (22000, 4333, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected"),
- (22000, 4334, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) authentication failed."),
- (22000, 4335, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) authentication successful."),
- (22000, 4336, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) user locked out."),
- (22000, 4337, 15, 173, NULL, 1, 1, "Wazuh - PIX: The PIX is disallowing new connections."),
- (22000, 4338, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall failover pair communication problem."),
- (22000, 4339, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall configuration deleted."),
- (22000, 4340, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall configuration changed."),
- (22000, 4341, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall command executed (for accounting only)."),
- (22000, 4342, 15, 173, NULL, 1, 1, "Wazuh - PIX: User created or modified on the Firewall."),
- (22000, 4380, 15, 173, NULL, 1, 1, "Wazuh - Multiple PIX alert messages."),
- (22000, 4381, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple critical messages."),
- (22000, 4382, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple error messages."),
- (22000, 4383, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple warning messages."),
- (22000, 4385, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple attack in progress messages."),
- (22000, 4386, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple AAA (VPN) authentication failures."),
- (22000, 4500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Netscreen Firewall rules"),
- (22000, 4501, 15, 173, NULL, 1, 1, "Wazuh - Netscreen notification message."),
- (22000, 4502, 15, 173, NULL, 1, 1, "Wazuh - Netscreen warning message."),
- (22000, 4503, 15, 173, NULL, 1, 1, "Wazuh - Netscreen critical/alert message."),
- (22000, 4513, 15, 173, NULL, 1, 1, "Wazuh - Netscreen critical/alert message."),
- (22000, 4504, 15, 173, NULL, 1, 1, "Wazuh - Netscreen informational message."),
- (22000, 4505, 15, 173, NULL, 1, 1, "Wazuh - Netscreen Erase sequence started."),
- (22000, 4506, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Successfull admin login"),
- (22000, 4507, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Successfull admin login"),
- (22000, 4508, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: policy changed."),
- (22000, 4509, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: configuration changed."),
- (22000, 4550, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple critical messages from same source IP."),
- (22000, 4551, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple critical messages."),
- (22000, 4552, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple alert messages from same source IP."),
- (22000, 4553, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple alert messages."),
- (22000, 4560, 15, 173, NULL, 1, 1, "Wazuh - netscreen detected a SYN flood."),
- (22000, 4700, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Cisco IOS rules."),
- (22000, 4710, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS emergency message."),
- (22000, 4711, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS alert message."),
- (22000, 4712, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS critical message."),
- (22000, 4713, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS error message."),
- (22000, 4714, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS warning message."),
- (22000, 4715, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS notification message."),
- (22000, 4716, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS informational message."),
- (22000, 4717, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS debug message."),
- (22000, 4721, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS router configuration changed."),
- (22000, 4722, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS: Successful login to the router."),
- (22000, 4724, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS: Failed login to the router."),
- (22000, 4800, 15, 173, NULL, 1, 1, "Wazuh - SonicWall messages grouped."),
- (22000, 4801, 15, 173, NULL, 1, 1, "Wazuh - SonicWall critical message."),
- (22000, 4802, 15, 173, NULL, 1, 1, "Wazuh - SonicWall critical message."),
- (22000, 4803, 15, 173, NULL, 1, 1, "Wazuh - SonicWall error message."),
- (22000, 4804, 15, 173, NULL, 1, 1, "Wazuh - SonicWall warning message."),
- (22000, 4805, 15, 173, NULL, 1, 1, "Wazuh - SonicWall notice message."),
- (22000, 4806, 15, 173, NULL, 1, 1, "Wazuh - SonicWall informational message."),
- (22000, 4807, 15, 173, NULL, 1, 1, "Wazuh - SonicWall debug message."),
- (22000, 4810, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Firewall administrator login."),
- (22000, 4811, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Firewall authentication failure."),
- (22000, 4850, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Multiple firewall warning messages."),
- (22000, 4851, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Multiple firewall error messages."),
- (22000, 5500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the pam_unix rules."),
- (22000, 5501, 15, 173, NULL, 1, 1, "Wazuh - PAM: Login session opened."),
- (22000, 5502, 15, 173, NULL, 1, 1, "Wazuh - PAM: Login session closed."),
- (22000, 5503, 15, 173, NULL, 1, 1, "Wazuh - PAM: User login failed."),
- (22000, 5504, 15, 173, NULL, 1, 1, "Wazuh - PAM: Attempt to login with an invalid user."),
- (22000, 5521, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring Annoying Ubuntu/debian cron login events."),
- (22000, 5522, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring Annoying Ubuntu/debian cron login events."),
- (22000, 5523, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring events with a user or a password."),
- (22000, 5551, 15, 173, NULL, 1, 1, "Wazuh - PAM: Multiple failed logins in a small period of time."),
- (22000, 5552, 15, 173, NULL, 1, 1, "Wazuh - PAM and gdm are not playing nicely."),
- (22000, 5553, 15, 173, NULL, 1, 1, "Wazuh - PAM misconfiguration."),
- (22000, 5554, 15, 173, NULL, 1, 1, "Wazuh - PAM misconfiguration."),
- (22000, 5555, 15, 173, NULL, 1, 1, "Wazuh - PAM: User changed password."),
- (22000, 5556, 15, 173, NULL, 1, 1, "Wazuh - unix_chkpwd grouping."),
- (22000, 5557, 15, 173, NULL, 1, 1, "Wazuh - unix_chkpwd: Password check failed."),
- (22000, 5600, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the telnetd rules"),
- (22000, 5601, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Connection refused by TCP Wrappers."),
- (22000, 5602, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Remote host established a telnet connection."),
- (22000, 5603, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Remote host invalid connection."),
- (22000, 5604, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Reverse lookup error (bad hostname config)."),
- (22000, 5631, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Multiple connection attempts from same source (possible scan)."),
- (22000, 5700, 15, 173, NULL, 1, 1, "Wazuh - SSHD messages grouped."),
- (22000, 5701, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible attack on the ssh server (or version gathering)."),
- (22000, 5702, 15, 173, NULL, 1, 1, "Wazuh - sshd: Reverse lookup error (bad ISP or attack)."),
- (22000, 5703, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible breakin attempt (high number of reverse lookup errors)."),
- (22000, 5704, 15, 173, NULL, 1, 1, "Wazuh - sshd: Timeout while logging in."),
- (22000, 5705, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible scan or breakin attempt (high number of login timeouts)."),
- (22000, 5706, 15, 173, NULL, 1, 1, "Wazuh - sshd: insecure connection attempt (scan)."),
- (22000, 5707, 15, 173, NULL, 1, 1, "Wazuh - sshd: OpenSSH challenge-response exploit."),
- (22000, 5709, 15, 173, NULL, 1, 1, "Wazuh - sshd: Useless SSHD message without an user/ip and context."),
- (22000, 5710, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to login using a non-existent user"),
- (22000, 5711, 15, 173, NULL, 1, 1, "Wazuh - sshd: Useless/Duplicated SSHD message without a user/ip."),
- (22000, 5712, 15, 173, NULL, 1, 1, "Wazuh - sshd: brute force trying to get access to the system."),
- (22000, 5713, 15, 173, NULL, 1, 1, "Wazuh - sshd: Corrupted bytes on SSHD."),
- (22000, 5714, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSH CRC-32 Compensation attack"),
- (22000, 5715, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication success."),
- (22000, 5716, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication failed."),
- (22000, 5717, 15, 173, NULL, 1, 1, "Wazuh - sshd: configuration error (moduli)."),
- (22000, 5718, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to login using a denied user."),
- (22000, 5719, 15, 173, NULL, 1, 1, "Wazuh - sshd: Multiple access attempts using a denied user."),
- (22000, 5720, 15, 173, NULL, 1, 1, "Wazuh - sshd: Multiple authentication failures."),
- (22000, 5721, 15, 173, NULL, 1, 1, "Wazuh - sshd: System disconnected from sshd."),
- (22000, 5722, 15, 173, NULL, 1, 1, "Wazuh - sshd: ssh connection closed."),
- (22000, 5723, 15, 173, NULL, 1, 1, "Wazuh - sshd: key error."),
- (22000, 5724, 15, 173, NULL, 1, 1, "Wazuh - sshd: key error."),
- (22000, 5725, 15, 173, NULL, 1, 1, "Wazuh - sshd: Host ungracefully disconnected."),
- (22000, 5726, 15, 173, NULL, 1, 1, "Wazuh - sshd: Unknown PAM module, PAM misconfiguration."),
- (22000, 5727, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to start sshd when something already bound to the port."),
- (22000, 5728, 15, 173, NULL, 1, 1, "Wazuh - sshd: Authentication services were not able to retrieve user credentials."),
- (22000, 5729, 15, 173, NULL, 1, 1, "Wazuh - sshd: Debug message."),
- (22000, 5730, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSHD is not accepting connections."),
- (22000, 5731, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSH Scanning."),
- (22000, 5732, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible port forwarding failure."),
- (22000, 5733, 15, 173, NULL, 1, 1, "Wazuh - sshd: User entered incorrect password."),
- (22000, 5734, 15, 173, NULL, 1, 1, "Wazuh - sshd: sshd could not load one or more host keys."),
- (22000, 5735, 15, 173, NULL, 1, 1, "Wazuh - sshd: Failed write due to one host disappearing."),
- (22000, 5736, 15, 173, NULL, 1, 1, "Wazuh - sshd: Connection reset or aborted."),
- (22000, 5737, 15, 173, NULL, 1, 1, "Wazuh - sshd: cannot bind to configured address."),
- (22000, 5738, 15, 173, NULL, 1, 1, "Wazuh - sshd: pam_loginuid could not open loginuid."),
- (22000, 5739, 15, 173, NULL, 1, 1, "Wazuh - sshd: configuration error (AuthorizedKeysCommand)"),
- (22000, 5740, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection reset by peer"),
- (22000, 5741, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection refused"),
- (22000, 5742, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection timed out"),
- (22000, 5743, 15, 173, NULL, 1, 1, "Wazuh - sshd: no route to host"),
- (22000, 5744, 15, 173, NULL, 1, 1, "Wazuh - sshd: port forwarding issue"),
- (22000, 5745, 15, 173, NULL, 1, 1, "Wazuh - sshd: transport endpoint is not connected"),
- (22000, 5746, 15, 173, NULL, 1, 1, "Wazuh - sshd: get_remote_port failed"),
- (22000, 5747, 15, 173, NULL, 1, 1, "Wazuh - sshd: bad client public DH value"),
- (22000, 5748, 15, 173, NULL, 1, 1, "Wazuh - sshd: corrupted MAC on input"),
- (22000, 5749, 15, 173, NULL, 1, 1, "Wazuh - sshd: bad packet length"),
- (22000, 5750, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client."),
- (22000, 5751, 15, 173, NULL, 1, 1, "Wazuh - sshd: No hostkey alg."),
- (22000, 5752, 15, 173, NULL, 1, 1, "Wazuh - sshd: Client did not offer an acceptable key exchange method."),
- (22000, 5753, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client, no matching cipher."),
- (22000, 5754, 15, 173, NULL, 1, 1, "Wazuh - sshd: failed to create a session."),
- (22000, 5755, 15, 173, NULL, 1, 1, "Wazuh - sshd: Authentication refused due to owner/permissions of authorized_keys."),
- (22000, 5756, 15, 173, NULL, 1, 1, "Wazuh - sshd: subsystem request failed."),
- (22000, 5757, 15, 173, NULL, 1, 1, "Wazuh - Bad DNS mapping."),
- (22000, 5758, 15, 173, NULL, 1, 1, "Wazuh - Maximum authentication attempts exceeded."),
- (22000, 5759, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client, no matching mac."),
- (22000, 6100, 15, 173, NULL, 1, 1, "Wazuh - Solaris BSM Auditing messages grouped."),
- (22000, 6101, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Auditing session failed."),
- (22000, 6102, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Auditing session succeeded."),
- (22000, 6103, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Login session succeeded."),
- (22000, 6104, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Login session failed."),
- (22000, 6105, 15, 173, NULL, 1, 1, "Wazuh - Solaris: User successfully changed UID."),
- (22000, 6106, 15, 173, NULL, 1, 1, "Wazuh - Solaris: User failed to change UID (user id)."),
- (22000, 6200, 15, 173, NULL, 1, 1, "Wazuh - Asterisk messages grouped."),
- (22000, 6201, 15, 173, NULL, 1, 1, "Wazuh - Asterisk notice messages grouped."),
- (22000, 6202, 15, 173, NULL, 1, 1, "Wazuh - Asterisk warning message."),
- (22000, 6203, 15, 173, NULL, 1, 1, "Wazuh - Asterisk error message."),
- (22000, 6210, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed."),
- (22000, 6211, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid user)."),
- (22000, 6212, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid extension)."),
- (22000, 6250, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins (user enumeration in process)."),
- (22000, 6251, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins."),
- (22000, 6252, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Extension enumeration."),
- (22000, 6253, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid iax user)."),
- (22000, 6254, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Extension IAX Enumeration."),
- (22000, 6255, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Possible Registration Hijacking."),
- (22000, 6256, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: IAX peer Wrong Password."),
- (22000, 6257, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins."),
- (22000, 6300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the MS-DHCP ipv4 rules."),
- (22000, 6301, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was started."),
- (22000, 6302, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was stopped."),
- (22000, 6303, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was temporarily paused due to low disk space."),
- (22000, 6304, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A new IP address was leased to a client."),
- (22000, 6305, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was renewed by a client."),
- (22000, 6306, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was released by a client."),
- (22000, 6307, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: An IP address was found to be in use on the network."),
- (22000, 6308, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease request could not be satisfied because the scope's address pool was exhausted."),
- (22000, 6309, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was denied."),
- (22000, 6310, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was deleted."),
- (22000, 6311, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was expired and DNS records for an expired leases have not been deleted."),
- (22000, 6322, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was expired and DNS records were deleted."),
- (22000, 6312, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP address was leased to a client."),
- (22000, 6313, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A dynamic BOOTP address was leased to a client."),
- (22000, 6314, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."),
- (22000, 6315, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP IP address was deleted after checking to see it was not in use."),
- (22000, 6316, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: IP address cleanup operation has began."),
- (22000, 6317, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: IP address cleanup statistics."),
- (22000, 6318, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update request to the named DNS server."),
- (22000, 6319, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update failed."),
- (22000, 6320, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update successful."),
- (22000, 6323, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Packet dropped due to NAP policy."),
- (22000, 6321, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Codes above 50 are used for Rogue Server Detection information."),
- (22000, 6350, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the MS-DHCP ipv6 rules."),
- (22000, 6351, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Solicit."),
- (22000, 6352, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Advertise."),
- (22000, 6354, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Confirm."),
- (22000, 6355, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Renew."),
- (22000, 6356, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Rebind."),
- (22000, 6357, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DHCP Decline."),
- (22000, 6358, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Release."),
- (22000, 6359, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Information Request."),
- (22000, 6360, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Scope Full."),
- (22000, 6361, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Started."),
- (22000, 6362, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Stopped."),
- (22000, 6363, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Audit log paused."),
- (22000, 6364, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DHCP Log File."),
- (22000, 6365, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Bad Address."),
- (22000, 6366, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Address is already in use."),
- (22000, 6367, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Client deleted."),
- (22000, 6368, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS record not deleted."),
- (22000, 6369, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Expired."),
- (22000, 6370, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Expired and Deleted count."),
- (22000, 6371, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Database cleanup begin."),
- (22000, 6372, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Database cleanup end."),
- (22000, 6373, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service not authorized in AD."),
- (22000, 6374, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service authorized in AD."),
- (22000, 6376, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service has not determined if it is authorized in AD."),
- (22000, 7200, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch messages grouped."),
- (22000, 7201, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch new host detected."),
- (22000, 7202, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: flip flop message. IP address/MAC relation changing too often."),
- (22000, 7203, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: exiting."),
- (22000, 7204, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: Changed network interface for ip address."),
- (22000, 7205, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: startup/exiting messages."),
- (22000, 7206, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: detected bad address len (ignored)."),
- (22000, 7207, 15, 173, NULL, 1, 1, "Wazuh - arpwatch probably run with wrong permissions"),
- (22000, 7208, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: An IP has reverted to an old ethernet address."),
- (22000, 7209, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: Possible arpspoofing attempt."),
- (22000, 7300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec AV rules."),
- (22000, 7301, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec AV rules from eventlog."),
- (22000, 7310, 15, 173, NULL, 1, 1, "Wazuh - Symantec-AV: Virus detected."),
- (22000, 7320, 15, 173, NULL, 1, 1, "Wazuh - Symantec-AV: Virus scan updated,started or stopped."),
- (22000, 7400, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec Web Security rules."),
- (22000, 7410, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Login failed accessing the web proxy."),
- (22000, 7415, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Login success accessing the web proxy."),
- (22000, 7420, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Admin Login success to the web proxy."),
- (22000, 7600, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Trend OSCE rules."),
- (22000, 7610, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus detected and cleaned/quarantined/remved"),
- (22000, 7611, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus detected and unable to clean up."),
- (22000, 7612, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus scan completed with no errors detected."),
- (22000, 7613, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus scan passed by found potential security risk."),
- (22000, 9300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Horde imp rules."),
- (22000, 9301, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP informational message."),
- (22000, 9302, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP notice message."),
- (22000, 9303, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP error message."),
- (22000, 9304, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP emergency message."),
- (22000, 9305, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP successful login."),
- (22000, 9306, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP Failed login."),
- (22000, 9351, 15, 173, NULL, 1, 1, "Wazuh - Horde brute force (multiple failed logins)."),
- (22000, 9352, 15, 173, NULL, 1, 1, "Wazuh - Multiple Horde emergency messages."),
- (22000, 9400, 15, 173, NULL, 1, 1, "Wazuh - Roundcube messages groupe.d"),
- (22000, 9401, 15, 173, NULL, 1, 1, "Wazuh - Roundcube authentication failed."),
- (22000, 9402, 15, 173, NULL, 1, 1, "Wazuh - Roundcube authentication succeeded."),
- (22000, 9500, 15, 173, NULL, 1, 1, "Wazuh - Wordpress messages grouped."),
- (22000, 9501, 15, 173, NULL, 1, 1, "Wazuh - Wordpress authentication failed."),
- (22000, 9502, 15, 173, NULL, 1, 1, "Wazuh - Wordpress authentication succeeded."),
- (22000, 9503, 15, 173, NULL, 1, 1, "Wazuh - WPsyslog was successfully initialized."),
- (22000, 9504, 15, 173, NULL, 1, 1, "Wazuh - Wordpress plugin deactivated."),
- (22000, 9505, 15, 173, NULL, 1, 1, "Wazuh - Wordpress Comment Flood Attempt."),
- (22000, 9510, 15, 173, NULL, 1, 1, "Wazuh - Attack against Wordpress detected."),
- (22000, 9551, 15, 173, NULL, 1, 1, "Wazuh - Multiple wordpress authentication failures."),
- (22000, 9600, 15, 173, NULL, 1, 1, "Wazuh - cimserver messages grouped."),
- (22000, 9610, 15, 173, NULL, 1, 1, "Wazuh - cimserver: Compaq Insight Manager authentication failure."),
- (22000, 9611, 15, 173, NULL, 1, 1, "Wazuh - cimserver: Compaq Insight Manager stopped."),
- (22000, 9700, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Messages Grouped."),
- (22000, 9701, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Authentication Success."),
- (22000, 9702, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Authentication Failed."),
- (22000, 9703, 15, 173, NULL, 1, 1, "Wazuh - Dovecot is Starting Up."),
- (22000, 9704, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Fatal Failure."),
- (22000, 9705, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Invalid User Login Attempt."),
- (22000, 9706, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Session Disconnected."),
- (22000, 9707, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Aborted Login."),
- (22000, 9750, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Multiple Authentication Failures."),
- (22000, 9751, 15, 173, NULL, 1, 1, "Wazuh - Dovecot brute force attack (multiple auth failures)."),
- (22000, 9770, 15, 173, NULL, 1, 1, "Wazuh - dovecot-info grouping."),
- (22000, 9771, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Invalid User Login Attempt."),
- (22000, 9800, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vm-pop3d rules."),
- (22000, 9801, 15, 173, NULL, 1, 1, "Wazuh - vm-pop3d: Login failed accessing the pop3 server."),
- (22000, 9820, 15, 173, NULL, 1, 1, "Wazuh - vm-pop3d: POP3 brute force (multiple failed logins)."),
- (22000, 9900, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vpopmail rules."),
- (22000, 9901, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Login failed."),
- (22000, 9902, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Attempt to login to vpopmail with invalid username."),
- (22000, 9903, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Attempt to login to vpopmail with empty password."),
- (22000, 9904, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: successful login."),
- (22000, 9951, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (multiple failed logins)."),
- (22000, 9952, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (email harvesting)."),
- (22000, 9953, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (empty password)."),
- (22000, 11100, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the ftpd rules."),
- (22000, 11101, 15, 173, NULL, 1, 1, "Wazuh - FTPD: connection refused."),
- (22000, 11102, 15, 173, NULL, 1, 1, "Wazuh - FTPD: File created via FTP"),
- (22000, 11103, 15, 173, NULL, 1, 1, "Wazuh - FTPD: File deleted via FTP"),
- (22000, 11104, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User uploaded a file to server."),
- (22000, 11105, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User downloaded a file to server."),
- (22000, 11106, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Remote host connected to FTP server.,"),
- (22000, 11107, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Connection blocked by Tcp Wrappers."),
- (22000, 11108, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Reverse lookup error (bad ISP config)."),
- (22000, 11109, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Multiple FTP failed login attempts."),
- (22000, 11110, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User disconnected due to time out."),
- (22000, 11111, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Attempt to login with disabled account."),
- (22000, 11112, 15, 173, NULL, 1, 1, "Wazuh - FTPD: authentication failure."),
- (22000, 11113, 15, 173, NULL, 1, 1, "Wazuh - FTPD: authentication failure."),
- (22000, 11200, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the proftpd rules."),
- (22000, 11201, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP session opened."),
- (22000, 11202, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP session closed."),
- (22000, 11203, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Attempt to login using a non-existent user."),
- (22000, 11204, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Login failed accessing the FTP server"),
- (22000, 11205, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP Authentication success."),
- (22000, 11206, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Connection denied by ProFTPD configuration."),
- (22000, 11207, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Connection refused by TCP Wrappers."),
- (22000, 11208, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Small PassivePorts range in config file. Server misconfiguration."),
- (22000, 11209, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Attempt to bypass firewall that can't adequately keep state of FTP traffic."),
- (22000, 11210, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple failed login attempts."),
- (22000, 11211, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Mismatch in server's hostname."),
- (22000, 11212, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Reverse lookup error (bad ISP config)."),
- (22000, 11213, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host connected to FTP server."),
- (22000, 11214, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to inactivity."),
- (22000, 11215, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to login time out."),
- (22000, 11216, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to time out."),
- (22000, 11217, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Data transfer stalled."),
- (22000, 11218, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP process crashed."),
- (22000, 11219, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP server Buffer overflow attempt."),
- (22000, 11220, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Unable to bind to adress."),
- (22000, 11221, 15, 173, NULL, 1, 1, "Wazuh - proftpd: IPv6 error and mod-delay info (ignored)."),
- (22000, 11222, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Couldn't open the incoming connection. Check log message for reason."),
- (22000, 11251, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP brute force (multiple failed logins)."),
- (22000, 11252, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple connection attempts from same source."),
- (22000, 11253, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple timed out logins from same source."),
- (22000, 11300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the pure-ftpd rules."),
- (22000, 11301, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: New FTP connection."),
- (22000, 11302, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP Authentication failed."),
- (22000, 11303, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP user logout/timeout"),
- (22000, 11304, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP notice messages"),
- (22000, 11305, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: Attempt to access invalid directory"),
- (22000, 11306, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP brute force (multiple failed logins)."),
- (22000, 11307, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: Multiple connection attempts from same source."),
- (22000, 11309, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP Authentication success."),
- (22000, 11310, 15, 173, NULL, 1, 1, "Wazuh - Rule grouping for pure ftpd transfers."),
- (22000, 11311, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: File added to ftpd."),
- (22000, 11312, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: File retrieved from ftpd."),
- (22000, 11400, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vsftpd rules."),
- (22000, 11401, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP session opened."),
- (22000, 11402, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP Authentication success."),
- (22000, 11403, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: Login failed accessing the FTP server."),
- (22000, 11404, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP server file upload."),
- (22000, 11451, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP brute force (multiple failed logins)."),
- (22000, 11452, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: Multiple FTP connection attempts from same source IP."),
- (22000, 11500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Microsoft ftp rules."),
- (22000, 11501, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: New FTP connection."),
- (22000, 11502, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP Authentication failed."),
- (22000, 11503, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP Authentication success."),
- (22000, 11504, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP client request failed."),
- (22000, 11510, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP brute force (multiple failed logins)."),
- (22000, 11511, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: Multiple connection attempts from same source."),
- (22000, 11512, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: Multiple FTP errors from same source."),
- (22000, 12100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the named rules"),
- (22000, 12101, 15, 173, NULL, 1, 1, "Wazuh - Invalid DNS packet. Possibility of attack."),
- (22000, 12102, 15, 173, NULL, 1, 1, "Wazuh - Failed attempt to perform a zone transfer."),
- (22000, 12103, 15, 173, NULL, 1, 1, "Wazuh - DNS update denied. Generally mis-configuration."),
- (22000, 12104, 15, 173, NULL, 1, 1, "Wazuh - Log permission misconfiguration in Named."),
- (22000, 12105, 15, 173, NULL, 1, 1, "Wazuh - Unexpected error while resolving domain."),
- (22000, 12106, 15, 173, NULL, 1, 1, "Wazuh - DNS configuration error."),
- (22000, 12107, 15, 173, NULL, 1, 1, "Wazuh - DNS update using RFC2136 Dynamic protocol."),
- (22000, 12108, 15, 173, NULL, 1, 1, "Wazuh - Query cache denied (probably config error)."),
- (22000, 12109, 15, 173, NULL, 1, 1, "Wazuh - Named fatal error. DNS service going down."),
- (22000, 12110, 15, 173, NULL, 1, 1, "Wazuh - Serial number from master is lower than stored."),
- (22000, 12111, 15, 173, NULL, 1, 1, "Wazuh - Unable to perform zone transfer."),
- (22000, 12112, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer error."),
- (22000, 12113, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer deferred."),
- (22000, 12114, 15, 173, NULL, 1, 1, "Wazuh - Hostname contains characters that check-names does not like."),
- (22000, 12115, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer."),
- (22000, 12116, 15, 173, NULL, 1, 1, "Wazuh - Syntax error in a named configuration file."),
- (22000, 12117, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer rety limit exceeded"),
- (22000, 12118, 15, 173, NULL, 1, 1, "Wazuh - Zone has been duplicated."),
- (22000, 12119, 15, 173, NULL, 1, 1, "Wazuh - BIND has been started"),
- (22000, 12120, 15, 173, NULL, 1, 1, "Wazuh - Missing A or AAAA record"),
- (22000, 12121, 15, 173, NULL, 1, 1, "Wazuh - Zone has been removed from a master server"),
- (22000, 12122, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
- (22000, 12123, 15, 173, NULL, 1, 1, "Wazuh - Zone has been duplicated"),
- (22000, 12125, 15, 173, NULL, 1, 1, "Wazuh - BIND Configuration error."),
- (22000, 12126, 15, 173, NULL, 1, 1, "Wazuh - Zone has been removed from a master server"),
- (22000, 12127, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
- (22000, 12128, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer."),
- (22000, 12129, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer failed, unable to connect to master."),
- (22000, 12130, 15, 173, NULL, 1, 1, "Wazuh - Could not listen on IPv6 interface."),
- (22000, 12131, 15, 173, NULL, 1, 1, "Wazuh - Could not bind to an interface."),
- (22000, 12132, 15, 173, NULL, 1, 1, "Wazuh - Master is not authoritative for zone."),
- (22000, 12133, 15, 173, NULL, 1, 1, "Wazuh - Could not open configuration file, permission denied."),
- (22000, 12134, 15, 173, NULL, 1, 1, "Wazuh - Could not open configuration file, permission denied."),
- (22000, 12135, 15, 173, NULL, 1, 1, "Wazuh - Domain in SOA -E."),
- (22000, 12136, 15, 173, NULL, 1, 1, "Wazuh - Master appears to be down."),
- (22000, 12137, 15, 173, NULL, 1, 1, "Wazuh - Domain is queried for a zone transferred."),
- (22000, 12138, 15, 173, NULL, 1, 1, "Wazuh - Domain A record found."),
- (22000, 12139, 15, 173, NULL, 1, 1, "Wazuh - Bad zone transfer request."),
- (22000, 12140, 15, 173, NULL, 1, 1, "Wazuh - Cannot refresh a domain from the master server."),
- (22000, 12141, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
- (22000, 12142, 15, 173, NULL, 1, 1, "Wazuh - named command channel is listening."),
- (22000, 12143, 15, 173, NULL, 1, 1, "Wazuh - named has created an automatic empty zone."),
- (22000, 12144, 15, 173, NULL, 1, 1, "Wazuh - Server does not have enough memory to reload the configuration."),
- (22000, 12145, 15, 173, NULL, 1, 1, "Wazuh - zone transfer denied"),
- (22000, 12146, 15, 173, NULL, 1, 1, "Wazuh - Cannot send a DNS response."),
- (22000, 12147, 15, 173, NULL, 1, 1, "Wazuh - Cannot update forwarding domain."),
- (22000, 12148, 15, 173, NULL, 1, 1, "Wazuh - Parsing of a configuration file has failed."),
- (22000, 13100, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the smbd rules."),
- (22000, 13101, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems."),
- (22000, 13102, 15, 173, NULL, 1, 1, "Wazuh - Samba connection denied."),
- (22000, 13103, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems."),
- (22000, 13104, 15, 173, NULL, 1, 1, "Wazuh - Samba: User action denied by configuration."),
- (22000, 13105, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems (unable to connect)."),
- (22000, 13106, 15, 173, NULL, 1, 1, "Wazuh - "),
- (22000, 13108, 15, 173, NULL, 1, 1, "Wazuh - Samba: An attempt has been made to start smbd but the process is already running."),
- (22000, 13109, 15, 173, NULL, 1, 1, "Wazuh - Samba: An attempt has been made to start nmbd but the process is already running."),
- (22000, 13110, 15, 173, NULL, 1, 1, "Wazuh - Samba: Connection was denied."),
- (22000, 13111, 15, 173, NULL, 1, 1, "Wazuh - Samba: Socket is not connected, write failed."),
- (22000, 13112, 15, 173, NULL, 1, 1, "Wazuh - Samba: Segfault in gvfs-smb."),
- (22000, 14100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of racoon rules."),
- (22000, 14101, 15, 173, NULL, 1, 1, "Wazuh - racoon: VPN authentication failed."),
- (22000, 14110, 15, 173, NULL, 1, 1, "Wazuh - Racoon informational message."),
- (22000, 14111, 15, 173, NULL, 1, 1, "Wazuh - Racoon error message."),
- (22000, 14112, 15, 173, NULL, 1, 1, "Wazuh - Racoon warning message."),
- (22000, 14120, 15, 173, NULL, 1, 1, "Wazuh - racoon: VPN established."),
- (22000, 14121, 15, 173, NULL, 1, 1, "Wazuh - racoon: Roadwarrior configuration (ignored error)."),
- (22000, 14122, 15, 173, NULL, 1, 1, "Wazuh - racoon: Roadwarrior configuration (ignored warning)."),
- (22000, 14123, 15, 173, NULL, 1, 1, "Wazuh - racoon: Invalid configuration settings (ignored error)."),
- (22000, 14151, 15, 173, NULL, 1, 1, "Wazuh - racoon: Multiple failed VPN logins."),
- (22000, 14200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Cisco VPN concentrator rules"),
- (22000, 14201, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN authentication successful."),
- (22000, 14202, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN authentication failed."),
- (22000, 14203, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN Admin authentication successful."),
- (22000, 14251, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: Multiple VPN authentication failures."),
- (22000, 18100, 15, 173, NULL, 1, 1, "Wazuh - Group of windows rules."),
- (22000, 18101, 15, 173, NULL, 1, 1, "Wazuh - Windows informational event."),
- (22000, 18102, 15, 173, NULL, 1, 1, "Wazuh - Windows warning event."),
- (22000, 18103, 15, 173, NULL, 1, 1, "Wazuh - Windows error event."),
- (22000, 18104, 15, 173, NULL, 1, 1, "Wazuh - Windows audit success event."),
- (22000, 18105, 15, 173, NULL, 1, 1, "Wazuh - Windows audit failure event."),
- (22000, 18106, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Failure."),
- (22000, 18107, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Success."),
- (22000, 18108, 15, 173, NULL, 1, 1, "Wazuh - Windows: Failed attempt to perform a privileged operation."),
- (22000, 18109, 15, 173, NULL, 1, 1, "Wazuh - Windows: Session reconnected/disconnected to winstation."),
- (22000, 18110, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account enabled or created."),
- (22000, 18111, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account changed."),
- (22000, 18112, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account disabled or deleted."),
- (22000, 18113, 15, 173, NULL, 1, 1, "Wazuh - Windows Audit Policy changed."),
- (22000, 18114, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Changed"),
- (22000, 18115, 15, 173, NULL, 1, 1, "Wazuh - Windows: General account database changed."),
- (22000, 18116, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account locked out (multiple login errors)."),
- (22000, 18117, 15, 173, NULL, 1, 1, "Wazuh - Windows is shutting down."),
- (22000, 18118, 15, 173, NULL, 1, 1, "Wazuh - Windows audit log was cleared."),
- (22000, 18119, 15, 173, NULL, 1, 1, "Wazuh - Windows: First time this user logged in this system."),
- (22000, 18120, 15, 173, NULL, 1, 1, "Wazuh - Windows login attempt (ignored). Duplicated."),
- (22000, 18125, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote access login failure."),
- (22000, 18126, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote access login success."),
- (22000, 18127, 15, 173, NULL, 1, 1, "Wazuh - Windows: Computer account added/changed/deleted."),
- (22000, 18128, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group account added/changed/deleted."),
- (22000, 18129, 15, 173, NULL, 1, 1, "Wazuh - Windows file system full."),
- (22000, 18130, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Unknown user or bad password."),
- (22000, 18131, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account logon time restriction violation."),
- (22000, 18132, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account currently disabled."),
- (22000, 18133, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Specified account expired."),
- (22000, 18134, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - User not allowed to login at this computer."),
- (22000, 18135, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - User not granted logon type."),
- (22000, 18136, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account's password expired."),
- (22000, 18137, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Internal error."),
- (22000, 18138, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account locked out."),
- (22000, 18139, 15, 173, NULL, 1, 1, "Wazuh - Windows DC Logon Failure."),
- (22000, 18140, 15, 173, NULL, 1, 1, "Wazuh - Windows: System time changed."),
- (22000, 18141, 15, 173, NULL, 1, 1, "Wazuh - Unexpected Windows shutdown."),
- (22000, 18142, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account unlocked."),
- (22000, 18143, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security enabled group created."),
- (22000, 18144, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security enabled group deleted."),
- (22000, 18145, 15, 173, NULL, 1, 1, "Wazuh - Windows: Service startup type was changed."),
- (22000, 18146, 15, 173, NULL, 1, 1, "Wazuh - Windows: Application Uninstalled."),
- (22000, 18147, 15, 173, NULL, 1, 1, "Wazuh - Windows: Application Installed."),
- (22000, 18148, 15, 173, NULL, 1, 1, "Wazuh - Windows is starting up."),
- (22000, 18149, 15, 173, NULL, 1, 1, "Wazuh - Windows User Logoff."),
- (22000, 18200, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Created"),
- (22000, 18201, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Deleted"),
- (22000, 18202, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Created"),
- (22000, 18203, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Member Added"),
- (22000, 18204, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Member Removed"),
- (22000, 18205, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Deleted"),
- (22000, 18206, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Created"),
- (22000, 18207, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Member Added"),
- (22000, 18208, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Member Removed"),
- (22000, 18209, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Deleted"),
- (22000, 18210, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Changed"),
- (22000, 18211, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Changed"),
- (22000, 18212, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Created"),
- (22000, 18213, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Changed"),
- (22000, 18214, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Member Added"),
- (22000, 18215, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Member Removed"),
- (22000, 18216, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Deleted"),
- (22000, 18217, 15, 173, NULL, 1, 1, "Wazuh - Windows: Administrators Group Changed"),
- (22000, 18218, 15, 173, NULL, 1, 1, "Wazuh - Windows: Everyone Group Changed"),
- (22000, 18219, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Domain Controllers Group Changed"),
- (22000, 18220, 15, 173, NULL, 1, 1, "Wazuh - Windows: Authenticated Users Group Changed"),
- (22000, 18221, 15, 173, NULL, 1, 1, "Wazuh - Windows: Terminal Server Users Group Changed"),
- (22000, 18222, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Admins Group Changed"),
- (22000, 18223, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Users Group Changed"),
- (22000, 18224, 15, 173, NULL, 1, 1, "Wazuh - Windows: Local User Group NONE"),
- (22000, 18225, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Guests Group Changed"),
- (22000, 18226, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Computers Group Changed"),
- (22000, 18227, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Controllers Group Changed"),
- (22000, 18228, 15, 173, NULL, 1, 1, "Wazuh - Windows: Cert Publishers Group Changed"),
- (22000, 18229, 15, 173, NULL, 1, 1, "Wazuh - Windows: Schema Admins Group Changed"),
- (22000, 18230, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Admins Group Changed"),
- (22000, 18231, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Policy Creator Owners Group Changed"),
- (22000, 18232, 15, 173, NULL, 1, 1, "Wazuh - Windows: RAS and IAS Servers Group Changed"),
- (22000, 18233, 15, 173, NULL, 1, 1, "Wazuh - Windows: Users Group Changed"),
- (22000, 18234, 15, 173, NULL, 1, 1, "Wazuh - Windows: Guests Group Changed"),
- (22000, 18235, 15, 173, NULL, 1, 1, "Wazuh - Windows: Power Users Group Changed"),
- (22000, 18236, 15, 173, NULL, 1, 1, "Wazuh - Windows: Account Operators Group Changed"),
- (22000, 18237, 15, 173, NULL, 1, 1, "Wazuh - Windows: Server Operators Group Changed"),
- (22000, 18238, 15, 173, NULL, 1, 1, "Wazuh - Windows: Print Operators Group Changed"),
- (22000, 18239, 15, 173, NULL, 1, 1, "Wazuh - Windows: Backup Operators Group Changed"),
- (22000, 18240, 15, 173, NULL, 1, 1, "Wazuh - Windows: Replicators Group Changed"),
- (22000, 18241, 15, 173, NULL, 1, 1, "Wazuh - Pre-Windows 2000 Compatible Access Group Changed"),
- (22000, 18242, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote Desktop Users Group Changed"),
- (22000, 18243, 15, 173, NULL, 1, 1, "Wazuh - Windows: Network Configuration Operators Group Changed"),
- (22000, 18244, 15, 173, NULL, 1, 1, "Wazuh - Windows: Incoming Forest Trust Builders Group Changed"),
- (22000, 18245, 15, 173, NULL, 1, 1, "Wazuh - Windows: Performance Monitor Users Group Changed"),
- (22000, 18246, 15, 173, NULL, 1, 1, "Wazuh - Windows: Performance Log Users Group Changed"),
- (22000, 18247, 15, 173, NULL, 1, 1, "Wazuh - Windows Authorization Access Group Changed"),
- (22000, 18248, 15, 173, NULL, 1, 1, "Wazuh - Windows: Terminal Server License Servers Group Changed"),
- (22000, 18249, 15, 173, NULL, 1, 1, "Wazuh - Windows: Distributed COM Users Group Changed"),
- (22000, 18250, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Read-only Domain Controllers Group Changed"),
- (22000, 18251, 15, 173, NULL, 1, 1, "Wazuh - Windows: Read-only Domain Controllers Group Changed"),
- (22000, 18252, 15, 173, NULL, 1, 1, "Wazuh - Windows: Cryptographic Operators Group Changed"),
- (22000, 18253, 15, 173, NULL, 1, 1, "Wazuh - Windows: Allowed RODC Password Replication Group Changed"),
- (22000, 18254, 15, 173, NULL, 1, 1, "Wazuh - Windows: Denied RODC Password Replication Group Changed"),
- (22000, 18255, 15, 173, NULL, 1, 1, "Wazuh - Windows: Event Log Readers Group Changed"),
- (22000, 18256, 15, 173, NULL, 1, 1, "Wazuh - Windows: Certificate Service DCOM Access Group Changed"),
- (22000, 18257, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway login success."),
- (22000, 18270, 15, 173, NULL, 1, 1, "Wazuh - Ignore rule 18257: TS Gateway login success"),
- (22000, 18258, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway login failure."),
- (22000, 18259, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway user disconnected."),
- (22000, 18121, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Success (ignored)."),
- (22000, 18170, 15, 173, NULL, 1, 1, "Wazuh - Windows DC integrity check on decrypted field failed."),
- (22000, 18171, 15, 173, NULL, 1, 1, "Wazuh - Windows DC - Possible replay attack."),
- (22000, 18172, 15, 173, NULL, 1, 1, "Wazuh - Windows DC - Clock skew too great."),
- (22000, 18180, 15, 173, NULL, 1, 1, "Wazuh - MS SQL Server Logon Failure."),
- (22000, 18181, 15, 173, NULL, 1, 1, "Wazuh - MS SQL Server Logon Success."),
- (22000, 18260, 15, 173, NULL, 1, 1, "Wazuh - MS Exchange Logon Success."),
- (22000, 18261, 15, 173, NULL, 1, 1, "Wazuh - MS Exchange User Logoff."),
- (22000, 18151, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple failed attempts to perform a privileged operation by the same user."),
- (22000, 18152, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows Logon Failures."),
- (22000, 18153, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows audit failure events."),
- (22000, 18154, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows error events."),
- (22000, 18155, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows warning events."),
- (22000, 18156, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple remote access login failures."),
- (22000, 18157, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple TS Gateway login failures."),
- (22000, 18158, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - access denied"),
- (22000, 18159, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - connected"),
- (22000, 18160, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - disconnected"),
- (22000, 7500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of McAfee Windows AV rules."),
- (22000, 7501, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV informational event."),
- (22000, 7502, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV warning event."),
- (22000, 7503, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV error event."),
- (22000, 7504, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and not removed."),
- (22000, 7505, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and properly removed."),
- (22000, 7506, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and file will be deleted."),
- (22000, 7507, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Scan started or stopped."),
- (22000, 7508, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Scan completed with no viruses found."),
- (22000, 7509, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus scan cancelled."),
- (22000, 7510, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus scan cancelled due to shutdown."),
- (22000, 7511, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update succeeded."),
- (22000, 7512, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update failed."),
- (22000, 7513, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update cancelled."),
- (22000, 7514, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - EICAR test file detected."),
- (22000, 7550, 15, 173, NULL, 1, 1, "Wazuh - Multiple McAfee AV warning events."),
- (22000, 7701, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Microsoft Security Essentials rules."),
- (22000, 7710, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected, but unable to remove."),
- (22000, 7711, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected and properly removed."),
- (22000, 7712, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected."),
- (22000, 7713, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Suspicious activity detected."),
- (22000, 7720, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Configuration changed."),
- (22000, 7721, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Service failed."),
- (22000, 7722, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Real time protection failed."),
- (22000, 7723, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Cannot use Dynamic Signature Service."),
- (22000, 7724, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Loading definitions failed. Using last good set."),
- (22000, 7725, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Engine update failed."),
- (22000, 7726, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Definitions update failed."),
- (22000, 7727, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan error. Scan has stopped."),
- (22000, 7728, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan stopped before completion."),
- (22000, 7731, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - EICAR test file detected."),
- (22000, 7750, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Security Essentials AV warnings detected."),
- (22000, 7751, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Security Essentials AV warnings detected."),
- (22000, 19100, 15, 173, NULL, 1, 1, "Wazuh - VMWare messages grouped."),
- (22000, 19101, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX syslog messages grouped."),
- (22000, 19102, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX critical message."),
- (22000, 19103, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX error message."),
- (22000, 19104, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX warning message."),
- (22000, 19105, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX notice message."),
- (22000, 19106, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX informational message."),
- (22000, 19107, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX verbose message."),
- (22000, 19110, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX authentication success."),
- (22000, 19111, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX authentication failure."),
- (22000, 19112, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX user login."),
- (22000, 19113, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX user authentication failure."),
- (22000, 19120, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine state changed to OFF."),
- (22000, 19121, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine being turned ON."),
- (22000, 19122, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine state changed to ON."),
- (22000, 19123, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine being reconfigured."),
- (22000, 19150, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX warning messages."),
- (22000, 19151, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX error messages."),
- (22000, 19152, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX authentication failures."),
- (22000, 19153, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX user authentication failures."),
- (22000, 20100, 15, 173, NULL, 1, 1, "Wazuh - First time this IDS alert is generated."),
- (22000, 20101, 15, 173, NULL, 1, 1, "Wazuh - IDS event."),
- (22000, 20102, 15, 173, NULL, 1, 1, "Wazuh - Ignored snort ids."),
- (22000, 20103, 15, 173, NULL, 1, 1, "Wazuh - Ignored snort ids."),
- (22000, 20152, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS alerts for same id."),
- (22000, 20151, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS events from same source ip."),
- (22000, 20161, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS events from same source ip (ignoring now this srcip and id)."),
- (22000, 20162, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS alerts for same id (ignoring now this id)."),
- (22000, 31100, 15, 173, NULL, 1, 1, "Wazuh - Access log messages grouped."),
- (22000, 31108, 15, 173, NULL, 1, 1, "Wazuh - Ignored URLs (simple queries)."),
- (22000, 31101, 15, 173, NULL, 1, 1, "Wazuh - Web server 400 error code."),
- (22000, 31102, 15, 173, NULL, 1, 1, "Wazuh - Ignored extensions on 400 error codes."),
- (22000, 31103, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
- (22000, 31104, 15, 173, NULL, 1, 1, "Wazuh - Common web attack."),
- (22000, 31105, 15, 173, NULL, 1, 1, "Wazuh - XSS (Cross Site Scripting) attempt."),
- (22000, 31106, 15, 173, NULL, 1, 1, "Wazuh - A web attack returned code 200 (success)."),
- (22000, 31110, 15, 173, NULL, 1, 1, "Wazuh - PHP CGI-bin vulnerability attempt."),
- (22000, 31109, 15, 173, NULL, 1, 1, "Wazuh - MSSQL Injection attempt (/ur.php, urchin.js)"),
- (22000, 31107, 15, 173, NULL, 1, 1, "Wazuh - Ignored URLs for the web attacks"),
- (22000, 31115, 15, 173, NULL, 1, 1, "Wazuh - URL too long. Higher than allowed on most browsers. Possible attack."),
- (22000, 31120, 15, 173, NULL, 1, 1, "Wazuh - Web server 500 error code (server error)."),
- (22000, 31121, 15, 173, NULL, 1, 1, "Wazuh - Web server 501 error code (Not Implemented)."),
- (22000, 31122, 15, 173, NULL, 1, 1, "Wazuh - Web server 500 error code (Internal Error)."),
- (22000, 31123, 15, 173, NULL, 1, 1, "Wazuh - Web server 503 error code (Service unavailable)."),
- (22000, 31140, 15, 173, NULL, 1, 1, "Wazuh - Ignoring google/msn/yahoo bots."),
- (22000, 31141, 15, 173, NULL, 1, 1, "Wazuh - Ignored 499's on nginx."),
- (22000, 31151, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 400 error codes from same source ip."),
- (22000, 31152, 15, 173, NULL, 1, 1, "Wazuh - Multiple SQL injection attempts from same source ip."),
- (22000, 31153, 15, 173, NULL, 1, 1, "Wazuh - Multiple common web attacks from same source ip."),
- (22000, 31154, 15, 173, NULL, 1, 1, "Wazuh - Multiple XSS (Cross Site Scripting) attempts from same source ip."),
- (22000, 31161, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 501 error code (Not Implemented)."),
- (22000, 31162, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 500 error code (Internal Error)."),
- (22000, 31163, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 503 error code (Service unavailable)."),
- (22000, 31164, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
- (22000, 31165, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
- (22000, 31166, 15, 173, NULL, 1, 1, "Wazuh - Shellshock attack detected"),
- (22000, 30100, 15, 173, NULL, 1, 1, "Wazuh - Apache messages grouped."),
- (22000, 30101, 15, 173, NULL, 1, 1, "Wazuh - Apache error messages grouped."),
- (22000, 30102, 15, 173, NULL, 1, 1, "Wazuh - Apache warn messages grouped."),
- (22000, 30103, 15, 173, NULL, 1, 1, "Wazuh - Apache notice messages grouped."),
- (22000, 30104, 15, 173, NULL, 1, 1, "Wazuh - Apache: segmentation fault."),
- (22000, 30105, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden file or directory."),
- (22000, 30106, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden directory index."),
- (22000, 30107, 15, 173, NULL, 1, 1, "Wazuh - Apache: Code Red attack."),
- (22000, 30108, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
- (22000, 30109, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to login using a non-existent user."),
- (22000, 30110, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
- (22000, 30112, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access an non-existent file (those are reported on the access.log)."),
- (22000, 30115, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI (bad client request)."),
- (22000, 30116, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple Invalid URI requests from same source."),
- (22000, 30117, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI, file name too long."),
- (22000, 30118, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Access attempt blocked."),
- (22000, 30119, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Multiple attempts blocked."),
- (22000, 30120, 15, 173, NULL, 1, 1, "Wazuh - Apache: without resources to run."),
- (22000, 30200, 15, 173, NULL, 1, 1, "Wazuh - Modsecurity alert."),
- (22000, 30201, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: access denied."),
- (22000, 30202, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Multiple attempts blocked."),
- (22000, 30301, 15, 173, NULL, 1, 1, "Wazuh - Apache error messages grouped."),
- (22000, 30302, 15, 173, NULL, 1, 1, "Wazuh - Apache warn messages grouped."),
- (22000, 30303, 15, 173, NULL, 1, 1, "Wazuh - Apache notice messages grouped."),
- (22000, 30304, 15, 173, NULL, 1, 1, "Wazuh - Apache: segmentation fault."),
- (22000, 30305, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden file or directory."),
- (22000, 30306, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden directory index."),
- (22000, 30307, 15, 173, NULL, 1, 1, "Wazuh - Apache: Client sent malformed Host header. Possible Code Red attack."),
- (22000, 30308, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
- (22000, 30309, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to login using a non-existent user."),
- (22000, 30310, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple authentication failures with invalid user."),
- (22000, 30312, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access an non-existent file (those are reported on the access.log)."),
- (22000, 30315, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI (bad client request)."),
- (22000, 30316, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple Invalid URI requests from same source."),
- (22000, 30317, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI, file name too long."),
- (22000, 30318, 15, 173, NULL, 1, 1, "Wazuh - Apache: PHP Notice in Apache log"),
- (22000, 30401, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Warning messages grouped"),
- (22000, 30402, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Access denied messages grouped"),
- (22000, 30403, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Audit log messages grouped"),
- (22000, 30411, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity rejected a query"),
- (22000, 30412, 15, 173, NULL, 1, 1, "Wazuh - Apache: Shellshock attack attempt"),
- (22000, 31200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Zeus rules."),
- (22000, 31201, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Zeus informational logs."),
- (22000, 31202, 15, 173, NULL, 1, 1, "Wazuh - Zeus warning log."),
- (22000, 31203, 15, 173, NULL, 1, 1, "Wazuh - Zeus serious log."),
- (22000, 31204, 15, 173, NULL, 1, 1, "Wazuh - Zeus fatal log."),
- (22000, 31205, 15, 173, NULL, 1, 1, "Wazuh - Zeus: Admin authentication failed."),
- (22000, 31206, 15, 173, NULL, 1, 1, "Wazuh - Zeus: Configuration warning (ignored)."),
- (22000, 31251, 15, 173, NULL, 1, 1, "Wazuh - Multiple Zeus warnings."),
- (22000, 31300, 15, 173, NULL, 1, 1, "Wazuh - Nginx messages grouped."),
- (22000, 31301, 15, 173, NULL, 1, 1, "Wazuh - Nginx error message."),
- (22000, 31302, 15, 173, NULL, 1, 1, "Wazuh - Nginx warning message."),
- (22000, 31303, 15, 173, NULL, 1, 1, "Wazuh - Nginx critical message."),
- (22000, 31310, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Server returned 404 (reported in the access.log)."),
- (22000, 31311, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Incomplete client request."),
- (22000, 31312, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Initial 401 authentication request."),
- (22000, 31315, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Web authentication failed."),
- (22000, 31316, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Multiple web authentication failures."),
- (22000, 31317, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Common cache error when files were removed."),
- (22000, 31320, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Invalid URI, file name too long."),
- (22000, 31330, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Warning messages grouped"),
- (22000, 31331, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Access denied messages grouped"),
- (22000, 31332, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Audit log messages grouped"),
- (22000, 31333, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity rejected a query"),
- (22000, 31401, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
- (22000, 31402, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
- (22000, 31403, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
- (22000, 31404, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
- (22000, 31405, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
- (22000, 31406, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
- (22000, 31410, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
- (22000, 31411, 15, 173, NULL, 1, 1, "Wazuh - PHP web attack."),
- (22000, 31412, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (missing file)."),
- (22000, 31413, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (server out of space)."),
- (22000, 31420, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
- (22000, 31421, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (missing file or function)."),
- (22000, 31430, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
- (22000, 31501, 15, 173, NULL, 1, 1, "Wazuh - WordPress Comment Spam (coming from a fake search engine UA)."),
- (22000, 31502, 15, 173, NULL, 1, 1, "Wazuh - TimThumb vulnerability exploit attempt."),
- (22000, 31503, 15, 173, NULL, 1, 1, "Wazuh - osCommerce login.php bypass attempt."),
- (22000, 31504, 15, 173, NULL, 1, 1, "Wazuh - osCommerce file manager login.php bypass attempt."),
- (22000, 31505, 15, 173, NULL, 1, 1, "Wazuh - TimThumb backdoor access attempt."),
- (22000, 31506, 15, 173, NULL, 1, 1, "Wazuh - Cart.php directory transversal attempt."),
- (22000, 31507, 15, 173, NULL, 1, 1, "Wazuh - MSSQL Injection attempt (ur.php, urchin.js)."),
- (22000, 31508, 15, 173, NULL, 1, 1, "Wazuh - Blacklisted user agent (known malicious user agent)."),
- (22000, 31509, 15, 173, NULL, 1, 1, "Wazuh - CMS (WordPress or Joomla) login attempt."),
- (22000, 31510, 15, 173, NULL, 1, 1, "Wazuh - CMS (WordPress or Joomla) brute force attempt."),
- (22000, 31511, 15, 173, NULL, 1, 1, "Wazuh - Blacklisted user agent (wget)."),
- (22000, 31512, 15, 173, NULL, 1, 1, "Wazuh - Uploadify vulnerability exploit attempt."),
- (22000, 31513, 15, 173, NULL, 1, 1, "Wazuh - BBS delete.php exploit attempt."),
- (22000, 31514, 15, 173, NULL, 1, 1, "Wazuh - Simple shell.php command execution."),
- (22000, 31515, 15, 173, NULL, 1, 1, "Wazuh - PHPMyAdmin scans (looking for setup.php)."),
- (22000, 31516, 15, 173, NULL, 1, 1, "Wazuh - Suspicious URL access."),
- (22000, 31530, 15, 173, NULL, 1, 1, "Wazuh - POST request received."),
- (22000, 31531, 15, 173, NULL, 1, 1, "Wazuh - Ignoring often post requests inside /wp-admin and /admin."),
- (22000, 31533, 15, 173, NULL, 1, 1, "Wazuh - High amount of POST requests in a small period of time (likely bot)."),
- (22000, 31550, 15, 173, NULL, 1, 1, "Wazuh - Anomaly URL query (attempting to pass null termination)."),
- (22000, 35000, 15, 173, NULL, 1, 1, "Wazuh - Squid messages grouped."),
- (22000, 35002, 15, 173, NULL, 1, 1, "Wazuh - Squid generic error codes."),
- (22000, 35003, 15, 173, NULL, 1, 1, "Wazuh - Squid: Bad request/Invalid syntax."),
- (22000, 35004, 15, 173, NULL, 1, 1, "Wazuh - Squid: Unauthorized: Failed attempt to access authorization-required file or directory."),
- (22000, 35005, 15, 173, NULL, 1, 1, "Wazuh - Squid: Forbidden: Attempt to access forbidden file or directory."),
- (22000, 35006, 15, 173, NULL, 1, 1, "Wazuh - Squid: Not Found: Attempt to access non-existent file or directory."),
- (22000, 35007, 15, 173, NULL, 1, 1, "Wazuh - Squid: Proxy Authentication Required: User is not authorized to use proxy."),
- (22000, 35008, 15, 173, NULL, 1, 1, "Wazuh - Squid: 400 error code (request failed)."),
- (22000, 35009, 15, 173, NULL, 1, 1, "Wazuh - Squid: 500/600 error code (server error)."),
- (22000, 35010, 15, 173, NULL, 1, 1, "Wazuh - Squid: 503 error code (server unavailable)."),
- (22000, 35021, 15, 173, NULL, 1, 1, "Wazuh - Squid: Attempt to access a Beagle worm (or variant) file."),
- (22000, 35022, 15, 173, NULL, 1, 1, "Wazuh - Squid: Attempt to access a worm/trojan related site."),
- (22000, 35023, 15, 173, NULL, 1, 1, "Wazuh - Squid: Ignored files on a 40x error."),
- (22000, 35051, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access forbidden file or directory from same source ip."),
- (22000, 35052, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple unauthorized attempts to use proxy."),
- (22000, 35053, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple Bad requests/Invalid syntax."),
- (22000, 35054, 15, 173, NULL, 1, 1, "Wazuh - Squid: Infected machine with W32.Beagle.DP."),
- (22000, 35055, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access a non-existent file."),
- (22000, 35056, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access a worm/trojan/virus related web site. System probably infected."),
- (22000, 35057, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple 400 error codes (requests failed)."),
- (22000, 35058, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple 500/600 error codes (server error)."),
- (22000, 35095, 15, 173, NULL, 1, 1, "Wazuh - Squid: Ignoring multiple attempts from same source ip (alert only once)."),
- (22000, 40101, 15, 173, NULL, 1, 1, "Wazuh - System user successfully logged to the system."),
- (22000, 40102, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow attack on rpc.statd"),
- (22000, 40103, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow on WU-FTPD versions prior to 2.6"),
- (22000, 40104, 15, 173, NULL, 1, 1, "Wazuh - Possible buffer overflow attempt."),
- (22000, 40105, 15, 173, NULL, 1, 1, "Wazuh - Null user changed some information."),
- (22000, 40106, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow attempt (probably on yppasswd)."),
- (22000, 40107, 15, 173, NULL, 1, 1, "Wazuh - Heap overflow in the Solaris cachefsd service."),
- (22000, 40109, 15, 173, NULL, 1, 1, "Wazuh - Stack overflow attempt or program exiting with SEGV (Solaris)."),
- (22000, 40111, 15, 173, NULL, 1, 1, "Wazuh - Multiple authentication failures."),
- (22000, 40112, 15, 173, NULL, 1, 1, "Wazuh - Multiple authentication failures followed by a success."),
- (22000, 40113, 15, 173, NULL, 1, 1, "Wazuh - Multiple viruses detected - Possible outbreak."),
- (22000, 40501, 15, 173, NULL, 1, 1, "Wazuh - Attacks followed by the addition of an user."),
- (22000, 40601, 15, 173, NULL, 1, 1, "Wazuh - Network scan from same source ip."),
- (22000, 40700, 15, 173, NULL, 1, 1, "Wazuh - Systemd rules"),
- (22000, 40701, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Stale file handle."),
- (22000, 40702, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Failed to get unit state for service. This means that the .service file is missing"),
- (22000, 40703, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Service has entered a failed state, and likely has not started."),
- (22000, 40900, 15, 173, NULL, 1, 1, "Wazuh - firewalld grouping"),
- (22000, 40901, 15, 173, NULL, 1, 1, "Wazuh - firewalld error"),
- (22000, 40902, 15, 173, NULL, 1, 1, "Wazuh - firewalld: Incorrect chain/target/match."),
- (22000, 40903, 15, 173, NULL, 1, 1, "Wazuh - firewalld: zone already set."),
- (22000, 50100, 15, 173, NULL, 1, 1, "Wazuh - MySQL messages grouped."),
- (22000, 50105, 15, 173, NULL, 1, 1, "Wazuh - MySQL: authentication success."),
- (22000, 50106, 15, 173, NULL, 1, 1, "Wazuh - MySQL: authentication failure."),
- (22000, 50107, 15, 173, NULL, 1, 1, "Wazuh - MySQL: query."),
- (22000, 50108, 15, 173, NULL, 1, 1, "Wazuh - MySQL: User disconnected from database."),
- (22000, 50120, 15, 173, NULL, 1, 1, "Wazuh - MySQL: shutdown messge."),
- (22000, 50121, 15, 173, NULL, 1, 1, "Wazuh - MySQL: startup message."),
- (22000, 50125, 15, 173, NULL, 1, 1, "Wazuh - MySQL: error."),
- (22000, 50126, 15, 173, NULL, 1, 1, "Wazuh - MySQL: fatal error."),
- (22000, 50180, 15, 173, NULL, 1, 1, "Wazuh - MySQL: Multiple errors."),
- (22000, 50500, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL messages grouped."),
- (22000, 50501, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL log message."),
- (22000, 50502, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL informational message."),
- (22000, 50503, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL error message."),
- (22000, 50504, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL error message."),
- (22000, 50505, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL debug message."),
- (22000, 50510, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database query."),
- (22000, 50511, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database authentication success."),
- (22000, 50512, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database authentication failure."),
- (22000, 50520, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database shutdown messge."),
- (22000, 50521, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database shutdown messge."),
- (22000, 50580, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Multiple database errors."),
- (22000, 50581, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Multiple database errors."),
- (22000, 51000, 15, 173, NULL, 1, 1, "Wazuh - Grouping for dropbear rules."),
- (22000, 51001, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Failed to get key exchange value"),
- (22000, 51002, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Premature kexdh_init message"),
- (22000, 51003, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Bad password attempt."),
- (22000, 51093, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Bad password attempt for non existent user."),
- (22000, 51004, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: dropbear brute force attempt."),
- (22000, 51005, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User disconnected."),
- (22000, 51006, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Client exited before authentication."),
- (22000, 51007, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: brute force attempt."),
- (22000, 51008, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Incompatible remote version."),
- (22000, 51009, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User successfully logged in using a password."),
- (22000, 51010, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User successfully logged in using a public key."),
- (22000, 51500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of bsd_kernel alerts"),
- (22000, 51501, 15, 173, NULL, 1, 1, "Wazuh - A timeout occurred waiting for a transfer."),
- (22000, 51502, 15, 173, NULL, 1, 1, "Wazuh - Check media in optical drive."),
- (22000, 51503, 15, 173, NULL, 1, 1, "Wazuh - A disk has timed out."),
- (22000, 51504, 15, 173, NULL, 1, 1, "Wazuh - arp info has been overwritten for a host"),
- (22000, 51505, 15, 173, NULL, 1, 1, "Wazuh - A filesystem was not properly unmounted, likely system crash"),
- (22000, 51506, 15, 173, NULL, 1, 1, "Wazuh - UKC was used, possibly modifying a kernel at boot time."),
- (22000, 51507, 15, 173, NULL, 1, 1, "Wazuh - Michael MIC failure: Checksum failure in the tkip protocol."),
- (22000, 51508, 15, 173, NULL, 1, 1, "Wazuh - A soft error has been corrected on a hard drive, this is a possible early sign of failure."),
- (22000, 51509, 15, 173, NULL, 1, 1, "Wazuh - Unknown acpithinkpad event"),
- (22000, 51510, 15, 173, NULL, 1, 1, "Wazuh - System shutdown due to temperature"),
- (22000, 51511, 15, 173, NULL, 1, 1, "Wazuh - Unknown ACPI event (bug 6299 in OpenBSD bug tracking system)."),
- (22000, 51512, 15, 173, NULL, 1, 1, "Wazuh - USB diagnostic message."),
- (22000, 51513, 15, 173, NULL, 1, 1, "Wazuh - Possible APM or ACPI event."),
- (22000, 51514, 15, 173, NULL, 1, 1, "Wazuh - Unclean filesystem, run fsck."),
- (22000, 51515, 15, 173, NULL, 1, 1, "Wazuh - Timeout in atascsi_passthru_done."),
- (22000, 51516, 15, 173, NULL, 1, 1, "Wazuh - Clock battery error 80"),
- (22000, 51518, 15, 173, NULL, 1, 1, "Wazuh - I/O error on a storage device"),
- (22000, 51519, 15, 173, NULL, 1, 1, "Wazuh - kbc error."),
- (22000, 51520, 15, 173, NULL, 1, 1, "Wazuh - USB reset failed, IOERROR."),
- (22000, 51521, 15, 173, NULL, 1, 1, "Wazuh - Grouping for groupdel rules."),
- (22000, 51522, 15, 173, NULL, 1, 1, "Wazuh - Group deleted."),
- (22000, 51523, 15, 173, NULL, 1, 1, "Wazuh - No core dumps."),
- (22000, 51524, 15, 173, NULL, 1, 1, "Wazuh - System was rebooted."),
- (22000, 51525, 15, 173, NULL, 1, 1, "Wazuh - ftp-proxy cannot connect to a server."),
- (22000, 51526, 15, 173, NULL, 1, 1, "Wazuh - Hard drive is dying."),
- (22000, 51527, 15, 173, NULL, 1, 1, "Wazuh - CARP master to backup."),
- (22000, 51528, 15, 173, NULL, 1, 1, "Wazuh - Duplicate IPv6 address."),
- (22000, 51529, 15, 173, NULL, 1, 1, "Wazuh - Could not load a firmware."),
- (22000, 51530, 15, 173, NULL, 1, 1, "Wazuh - hotplugd could not open a file."),
- (22000, 51531, 15, 173, NULL, 1, 1, "Wazuh - User account deleted."),
- (22000, 51532, 15, 173, NULL, 1, 1, "Wazuh - Bad ntp peer."),
- (22000, 51533, 15, 173, NULL, 1, 1, "Wazuh - dhclient receive_packet failed."),
- (22000, 51534, 15, 173, NULL, 1, 1, "Wazuh - dhclient receive_packet failed due to I/O error."),
- (22000, 51535, 15, 173, NULL, 1, 1, "Wazuh - SIOCDIFADDR failed"),
- (22000, 51536, 15, 173, NULL, 1, 1, "Wazuh - dhclient: device not configured."),
- (22000, 52000, 15, 173, NULL, 1, 1, "Wazuh - Apparmor messages grouped."),
- (22000, 52001, 15, 173, NULL, 1, 1, "Wazuh - Apparmor Ignore ALLOWED or STATUS"),
- (22000, 52002, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED"),
- (22000, 52003, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED exec operation."),
- (22000, 52004, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED mknod operation."),
- (22000, 52500, 15, 173, NULL, 1, 1, "Wazuh - Clamd messages grouped."),
- (22000, 52501, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: database update"),
- (22000, 52502, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Virus detected"),
- (22000, 52503, 15, 173, NULL, 1, 1, "Wazuh - Clamd error"),
- (22000, 52504, 15, 173, NULL, 1, 1, "Wazuh - Clamd warning"),
- (22000, 52505, 15, 173, NULL, 1, 1, "Wazuh - Clamd restarted"),
- (22000, 52506, 15, 173, NULL, 1, 1, "Wazuh - Clamd database updated"),
- (22000, 52507, 15, 173, NULL, 1, 1, "Wazuh - ClamAV database update"),
- (22000, 52508, 15, 173, NULL, 1, 1, "Wazuh - ClamAV database updated"),
- (22000, 52509, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Could not download the incremental virus definition updates."),
- (22000, 52510, 15, 173, NULL, 1, 1, "Wazuh - Clamd stopped"),
- (22000, 52511, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Virus detected multiple times"),
- (22000, 53500, 15, 173, NULL, 1, 1, "Wazuh - OpenSMTPd grouping."),
- (22000, 53501, 15, 173, NULL, 1, 1, "Wazuh - Message failed."),
- (22000, 53502, 15, 173, NULL, 1, 1, "Wazuh - New session created."),
- (22000, 53503, 15, 173, NULL, 1, 1, "Wazuh - Session closed."),
- (22000, 53504, 15, 173, NULL, 1, 1, "Wazuh - Message accepted."),
- (22000, 53505, 15, 173, NULL, 1, 1, "Wazuh - Email delivered."),
- (22000, 53506, 15, 173, NULL, 1, 1, "Wazuh - SMTP command not supported."),
- (22000, 53507, 15, 173, NULL, 1, 1, "Wazuh - OpenSMTPd: no SSL"),
- (22000, 53508, 15, 173, NULL, 1, 1, "Wazuh - Server TLS certificate verification failed."),
- (22000, 184665, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 1"),
- (22000, 185000, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 2"),
- (22000, 185001, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 3"),
- (22000, 185002, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 4"),
- (22000, 185003, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 5"),
- (22000, 185004, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 6"),
- (22000, 185005, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 7"),
- (22000, 185006, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 8"),
- (22000, 185007, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 9"),
- (22000, 185008, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 10"),
- (22000, 185009, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 11"),
- (22000, 185010, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 12"),
- (22000, 185011, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 13"),
- (22000, 185012, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 14"),
- (22000, 185013, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 15"),
- (22000, 184666, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - svchost.exe"),
- (22000, 184667, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - svchost.exe"),
- (22000, 184676, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsm.exe"),
- (22000, 184677, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - lsm.exe"),
- (22000, 184678, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsm.exe is a Parent Image"),
- (22000, 184686, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - csrss.exe"),
- (22000, 184687, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - csrss.exe"),
- (22000, 184696, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsass"),
- (22000, 184697, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - lsass.exe"),
- (22000, 184698, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsass.exe is a Parent Image"),
- (22000, 184706, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - winlogon.exe"),
- (22000, 184707, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - winlogon.exe"),
- (22000, 184716, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - wininit"),
- (22000, 184717, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - wininit.exe"),
- (22000, 184726, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - smss.exe"),
- (22000, 184727, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - smss.exe"),
- (22000, 184736, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - taskhost.exe"),
- (22000, 184737, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - taskhost.exe"),
- (22000, 184746, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - services.exe"),
- (22000, 184747, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - services.exe"),
- (22000, 184766, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - dllhost.exe"),
- (22000, 184767, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - dllhost.exe"),
- (22000, 184776, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - explorer.exe"),
- (22000, 184777, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - explorer.exe"),
- (22000, 500000, 15, 173, NULL, 1, 1, "Wazuh - Unbound grouping."),
- (22000, 500001, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Notice grouping."),
- (22000, 500002, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Info grouping."),
- (22000, 500100, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Can't assign requested address."),
- (22000, 500101, 15, 173, NULL, 1, 1, "Wazuh - Unbound: DNS A request."),
- (22000, 500102, 15, 173, NULL, 1, 1, "Wazuh - Unbound: DNS AAAA request."),
- (22000, 80000, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master messages grouped."),
- (22000, 80001, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent messages grouped."),
- (22000, 80002, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master started"),
- (22000, 80003, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master stopped"),
- (22000, 80004, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Permission denied"),
- (22000, 80005, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Certificate issue"),
- (22000, 80006, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: not run - address in use"),
- (22000, 80007, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Manifest Error"),
- (22000, 80008, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Error"),
- (22000, 80009, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Info"),
- (22000, 80010, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Deprecated"),
- (22000, 80050, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent started"),
- (22000, 80051, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent stopped"),
- (22000, 80052, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Certificate - Could not request certificate"),
- (22000, 80053, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Certificate issue"),
- (22000, 80054, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - no file found or does not exist"),
- (22000, 80055, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - feature is missing"),
- (22000, 80056, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - failed library"),
- (22000, 80057, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - failed to apply catalog"),
- (22000, 80058, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: connection refused"),
- (22000, 80059, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error"),
- (22000, 80070, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - create or defined content"),
- (22000, 80071, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info"),
- (22000, 80072, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - applying configuration"),
- (22000, 80073, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - executing "),
- (22000, 80090, 15, 173, NULL, 1, 1, "Wazuh - Command check if puppet runs every 30 min or less"),
- (22000, 80091, 15, 173, NULL, 1, 1, "Wazuh - Puppet ran in the last 30 minutes"),
- (22000, 80092, 15, 173, NULL, 1, 1, "Wazuh - Puppet did not run in the last 30 minutes"),
- (22000, 80100, 15, 173, NULL, 1, 1, "Wazuh - Netscaler messages grouped."),
- (22000, 80101, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: AAA module failed to login the user"),
- (22000, 80102, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple AAA failed to login the user"),
- (22000, 80103, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API command executed"),
- (22000, 80104, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API command executed failed"),
- (22000, 80105, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple commands failed"),
- (22000, 80106, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API dangerous command"),
- (22000, 80107, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN login succeeds"),
- (22000, 80108, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session logs out"),
- (22000, 80109, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ICA application launch has started"),
- (22000, 80110, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ICA application has terminated"),
- (22000, 80111, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A non-http resource access is denied by policy engine."),
- (22000, 80112, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple non-http resource access denied"),
- (22000, 80113, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A http resource access is denied by policy engine"),
- (22000, 80114, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple http resource access denied"),
- (22000, 80115, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session: client security check error"),
- (22000, 80116, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session: client security expression evaluates to False"),
- (22000, 80117, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP module starts"),
- (22000, 80118, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP module stops"),
- (22000, 80119, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Started"),
- (22000, 80120, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Stopped"),
- (22000, 80121, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface started"),
- (22000, 80122, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface stopped"),
- (22000, 80123, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface in hung state"),
- (22000, 80124, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface reset"),
- (22000, 80125, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Memory internal error"),
- (22000, 80126, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: HA propagation failed"),
- (22000, 80127, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall violation"),
- (22000, 80128, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall: Appsecure uthread at 0x%x had a stack error"),
- (22000, 80129, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall: DOS\DDOS error"),
- (22000, 80130, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP Trap Sent"),
- (22000, 80131, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP Trap Dropped"),
- (22000, 80132, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ACL Packet Log"),
- (22000, 80133, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: URL Transformation error"),
- (22000, 80134, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Login to AAA TM vserver succeeds"),
- (22000, 80135, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: AAA TM session logged out"),
- (22000, 80136, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A AAATM http resource access is denied by policy engine"),
- (22000, 80137, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple AAATM http resource access denied"),
- (22000, 80138, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API login succeeds"),
- (22000, 80139, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API login failed"),
- (22000, 80140, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple UI/API login failed"),
- (22000, 80200, 15, 173, NULL, 1, 1, "Wazuh - Amazon alerts."),
- (22000, 80201, 15, 173, NULL, 1, 1, "Wazuh - Amazon EC2 alerts."),
- (22000, 80202, 15, 173, NULL, 1, 1, "Wazuh - Amazon IAM alerts."),
- (22000, 80203, 15, 173, NULL, 1, 1, "Wazuh - Amazon s3 alerts."),
- (22000, 80301, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance"),
- (22000, 80302, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance InstanceLimit Exceeded"),
- (22000, 80303, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance unauthorized"),
- (22000, 80304, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run Instances error"),
- (22000, 80305, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance started"),
- (22000, 80306, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Start instance unauthorized"),
- (22000, 80307, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Start Instances error"),
- (22000, 80308, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance stopped"),
- (22000, 80309, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop instance unauthorized"),
- (22000, 80310, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop instance Invalid Instance ID Not Found"),
- (22000, 80311, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop Instances error"),
- (22000, 80312, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance terminated"),
- (22000, 80313, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Terminate instance unauthorized"),
- (22000, 80314, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Terminate Instances error"),
- (22000, 80315, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance attribute"),
- (22000, 80316, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance attribute unauthorized"),
- (22000, 80317, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance Invalid Parameter Value"),
- (22000, 80318, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance Attribute error"),
- (22000, 80319, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Attached"),
- (22000, 80320, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Attached Unauthorized"),
- (22000, 80321, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Network Interface error"),
- (22000, 80322, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Detached"),
- (22000, 80323, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Detached Unauthorized"),
- (22000, 80324, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Network Interface error"),
- (22000, 80325, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address"),
- (22000, 80326, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Unauthorized"),
- (22000, 80327, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Unauthorized"),
- (22000, 80328, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address error"),
- (22000, 80329, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Monitor Instances"),
- (22000, 80330, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Monitor Instances"),
- (22000, 80331, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: MonitorInstances error"),
- (22000, 80332, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Unmonitor Instances"),
- (22000, 80333, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Unmonitor Instances Unauthorized"),
- (22000, 80334, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: UnmonitorInstances error"),
- (22000, 80335, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute"),
- (22000, 80336, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute Unauthorized"),
- (22000, 80337, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute error"),
- (22000, 80338, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Image"),
- (22000, 80339, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Image Unauthorized"),
- (22000, 80340, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances"),
- (22000, 80341, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances Unauthorized"),
- (22000, 80342, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances error"),
- (22000, 80350, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI"),
- (22000, 80351, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI Unauthorized"),
- (22000, 80352, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI error"),
- (22000, 80353, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister AMI"),
- (22000, 80354, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister AMI Unauthorized"),
- (22000, 80355, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister Image error"),
- (22000, 80356, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute"),
- (22000, 80357, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute Unauthorized"),
- (22000, 80358, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute error"),
- (22000, 80359, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image"),
- (22000, 80360, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image Invalid Manifest"),
- (22000, 80361, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image Unauthorized"),
- (22000, 80362, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image error"),
- (22000, 80370, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume"),
- (22000, 80371, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume Unauthorized"),
- (22000, 80372, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume error"),
- (22000, 80373, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume"),
- (22000, 80374, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume Unauthorized"),
- (22000, 80375, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume error"),
- (22000, 80376, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Detach Volume"),
- (22000, 80377, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Detach Volume Unauthorized"),
- (22000, 80378, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume error"),
- (22000, 80379, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot"),
- (22000, 80380, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot Unauthorized"),
- (22000, 80381, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot error"),
- (22000, 80382, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute"),
- (22000, 80383, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute Unauthorized"),
- (22000, 80384, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute error"),
- (22000, 80385, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags"),
- (22000, 80386, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags Unauthorized"),
- (22000, 80387, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags error"),
- (22000, 80388, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags"),
- (22000, 80389, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags Unauthorized"),
- (22000, 80390, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags error"),
- (22000, 80391, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume"),
- (22000, 80392, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume Unauthorized"),
- (22000, 80393, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume error"),
- (22000, 80394, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute"),
- (22000, 80395, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute Unauthorized"),
- (22000, 80396, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute error"),
- (22000, 80397, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot"),
- (22000, 80398, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot Unauthorized"),
- (22000, 80399, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot error"),
- (22000, 80400, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot"),
- (22000, 80401, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot Unauthorized"),
- (22000, 80402, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot Invalid in use"),
- (22000, 80403, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot error"),
- (22000, 80404, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group"),
- (22000, 80405, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group Snapshot Unauthorized"),
- (22000, 80406, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group Invalid Parameter Value"),
- (22000, 80407, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group error"),
- (22000, 80408, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group"),
- (22000, 80409, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group Snapshot Unauthorized"),
- (22000, 80410, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group error"),
- (22000, 80411, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address"),
- (22000, 80412, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address Unauthorized"),
- (22000, 80413, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address Limit Exceeded"),
- (22000, 80414, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address error"),
- (22000, 80415, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address"),
- (22000, 80416, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Missing Parameter"),
- (22000, 80417, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Invalid Association ID Not Found"),
- (22000, 80418, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Invalid Parameter Value"),
- (22000, 80419, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address error"),
- (22000, 80420, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Placement Group"),
- (22000, 80421, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Plazament Group Unauthorized Operation"),
- (22000, 80422, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Plazament Group error"),
- (22000, 80423, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Placement Group"),
- (22000, 80424, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Plazament Group Unauthorized Operation"),
- (22000, 80425, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Plazament Group error"),
- (22000, 80426, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security GroupIngress"),
- (22000, 80427, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Unauthorized Operation"),
- (22000, 80428, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Invalid Parameter Value"),
- (22000, 80429, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Missing Parameter"),
- (22000, 80430, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Invalid GroupId Malformed"),
- (22000, 80431, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Invalid Group Not found"),
- (22000, 80432, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group error"),
- (22000, 80433, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security GroupIngress"),
- (22000, 80434, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Unauthorized Operation"),
- (22000, 80435, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Parameter Value"),
- (22000, 80436, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Missing Parameter"),
- (22000, 80437, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Group ID Malformed"),
- (22000, 80438, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Group Not Found"),
- (22000, 80439, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group error"),
- (22000, 80440, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer"),
- (22000, 80441, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer Access Denied"),
- (22000, 80442, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer error"),
- (22000, 80443, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer"),
- (22000, 80444, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer Access Denied"),
- (22000, 80445, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer error"),
- (22000, 80446, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address"),
- (22000, 80447, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address Access Denied"),
- (22000, 80448, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address error"),
- (22000, 81000, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Vpc Created"),
- (22000, 81001, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Vpc Created Unauthorized Operation"),
- (22000, 81002, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Vpc Limit Exceeded"),
- (22000, 81003, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Vpc create error"),
- (22000, 81004, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Asssociate Dhcp Options"),
- (22000, 81005, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Associate Dhcp Options Unauthorized Operation"),
- (22000, 81006, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Associate Dhcp Options error"),
- (22000, 81007, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Crete Subnet"),
- (22000, 81008, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Unauthorized Operation"),
- (22000, 81009, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Invalid Subnet range"),
- (22000, 81010, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Crete Subnet error"),
- (22000, 81011, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Modify Subnet Attribute"),
- (22000, 81012, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Unauthorized Operation"),
- (22000, 81013, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Modify Subnet Attribute error"),
- (22000, 81014, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table"),
- (22000, 81015, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Create Route Table Unauthorized Operation"),
- (22000, 81016, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
- (22000, 81017, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Associate Route Table"),
- (22000, 81018, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Associate Route Table Unauthorized Operation"),
- (22000, 81019, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
- (22000, 81020, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Disassociate Route Table"),
- (22000, 81021, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Disassociate Route Table Unauthorized Operation"),
- (22000, 81022, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
- (22000, 80500, 15, 173, NULL, 1, 1, "Wazuh - Serv-u messages grouped."),
- (22000, 80501, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Server started"),
- (22000, 80502, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Domain started"),
- (22000, 80503, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in"),
- (22000, 80504, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged out"),
- (22000, 80505, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Invalid credentials"),
- (22000, 80506, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Multiple authentication failures."),
- (22000, 80507, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Session timeout"),
- (22000, 80508, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Closed session"),
- (22000, 80509, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Remote host connected"),
- (22000, 80510, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Event"),
- (22000, 80511, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File downloaded"),
- (22000, 80512, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File uploaded"),
- (22000, 80513, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File deleted"),
- (22000, 80514, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File/Directory renamed"),
- (22000, 80515, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Directory created"),
- (22000, 80516, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Directory deleted"),
- (22000, 80517, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File with extension .exe uploaded"),
- (22000, 80518, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in FTP/FTPS"),
- (22000, 80519, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in SFTP (SSH)"),
- (22000, 80520, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in HTTP/HTTPS"),
- (22000, 80521, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Attempt to login using anonymous user"),
- (22000, 80522, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: FTP/FTPS Permision denied"),
- (22000, 80523, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: SFTP (SSH) Permision denied"),
- (22000, 80524, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: HTTP/HTTPS Permision denied"),
- (22000, 80700, 15, 173, NULL, 1, 1, "Wazuh - Audit: messages grouped."),
- (22000, 80701, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Start / Resume"),
- (22000, 80702, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Start / Resume FAILED"),
- (22000, 80703, 15, 173, NULL, 1, 1, "Wazuh - Auditd: End"),
- (22000, 80704, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Abort"),
- (22000, 80705, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Configuration changed"),
- (22000, 80710, 15, 173, NULL, 1, 1, "Wazuh - Auditd: device enables promiscuous mode"),
- (22000, 80711, 15, 173, NULL, 1, 1, "Wazuh - Auditd: process ended abnormally"),
- (22000, 80712, 15, 173, NULL, 1, 1, "Wazuh - Auditd: execution of a file ended abnormally"),
- (22000, 80713, 15, 173, NULL, 1, 1, "Wazuh - Auditd: file is made executable"),
- (22000, 80714, 15, 173, NULL, 1, 1, "Wazuh - Auditd: file or a directory access ended abnormally"),
- (22000, 80715, 15, 173, NULL, 1, 1, "Wazuh - Auditd: failure of the Abstract Machine Test Utility (AMTU) detected"),
- (22000, 80716, 15, 173, NULL, 1, 1, "Wazuh - Auditd: maximum amount of Discretionary Access Control (DAC) or Mandatory Access Control (MAC) failures reached"),
- (22000, 80717, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Role-Based Access Control (RBAC) failure detected."),
- (22000, 80718, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account addition ended abnormally."),
- (22000, 80719, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account deletion ended abnormally."),
- (22000, 80720, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account modification ended abnormally."),
- (22000, 80721, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user becomes root"),
- (22000, 80722, 15, 173, NULL, 1, 1, "Wazuh - Auditd: account login attempt ended abnormally."),
- (22000, 80723, 15, 173, NULL, 1, 1, "Wazuh - Auditd: limit of failed login attempts reached."),
- (22000, 80724, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt from a forbidden location."),
- (22000, 80725, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt reached the maximum amount of concurrent sessions."),
- (22000, 80726, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt is made at a time when it is prevented by."),
- (22000, 80730, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux permission check"),
- (22000, 80731, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux mode (enforcing, permissive, off) is changed"),
- (22000, 80732, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux error"),
- (22000, 80740, 15, 173, NULL, 1, 1, "Wazuh - Auditd: replay attack detected"),
- (22000, 80741, 15, 173, NULL, 1, 1, "Wazuh - Auditd: group ID changed"),
- (22000, 80742, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user ID changed"),
- (22000, 80780, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access"),
- (22000, 80781, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access: $(audit.file.name)"),
- (22000, 80782, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access: $(audit.directory.name)"),
- (22000, 80783, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access"),
- (22000, 80784, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access: $(audit.file.name)"),
- (22000, 80785, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access: $(audit.directory.name)"),
- (22000, 80786, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute"),
- (22000, 80787, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute: $(audit.file.name)"),
- (22000, 80788, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute: $(audit.directory.name)"),
- (22000, 80789, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Execute access: $(audit.file.name)"),
- (22000, 80790, 15, 173, NULL, 1, 1, "Wazuh - Audit: Created: $(audit.file.name)"),
- (22000, 80791, 15, 173, NULL, 1, 1, "Wazuh - Audit: Deleted: $(audit.file.name)"),
- (22000, 80792, 15, 173, NULL, 1, 1, "Wazuh - Audit: Command: $(audit.exe)"),
- (22000, 80801, 15, 173, NULL, 1, 1, "Wazuh - Amazon-signin: User Login Success"),
- (22000, 80802, 15, 173, NULL, 1, 1, "Wazuh - Amazon-signin: User Login failed"),
- (22000, 80803, 15, 173, NULL, 1, 1, "Wazuh - Possible breakin attempt (high number of login attempts)."),
- (22000, 80861, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User created"),
- (22000, 80862, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User creation denied"),
- (22000, 80863, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User creation error"),
- (22000, 80864, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group"),
- (22000, 80865, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group denied"),
- (22000, 80866, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group error"),
- (22000, 80867, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group"),
- (22000, 80868, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group denied"),
- (22000, 80869, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group error"),
- (22000, 80870, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated"),
- (22000, 80871, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated denied"),
- (22000, 80872, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated error"),
- (22000, 80873, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group"),
- (22000, 80874, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group denied"),
- (22000, 80875, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group error"),
- (22000, 80876, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group"),
- (22000, 80877, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group denied"),
- (22000, 80878, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group error"),
- (22000, 80879, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user"),
- (22000, 80880, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user denied"),
- (22000, 80881, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user error"),
- (22000, 80882, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user"),
- (22000, 80883, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user denied"),
- (22000, 80884, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user error"),
- (22000, 80885, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user"),
- (22000, 80886, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user denied"),
- (22000, 80887, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user error"),
- (22000, 80888, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user"),
- (22000, 80889, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user denied"),
- (22000, 80890, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user error"),
- (22000, 80891, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group created"),
- (22000, 80892, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group creation denied"),
- (22000, 80893, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group creation error"),
- (22000, 80894, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role created"),
- (22000, 80895, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role creation denied"),
- (22000, 80896, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role creation error"),
- (22000, 80897, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy created"),
- (22000, 80898, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy creation denied"),
- (22000, 80899, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy creation error"),
- (22000, 80900, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update"),
- (22000, 80901, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update denied"),
- (22000, 80902, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update error"),
- (22000, 80903, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias created"),
- (22000, 80904, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Create Account Alias error"),
- (22000, 80905, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias deleted"),
- (22000, 80906, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete account alias error"),
- (22000, 80907, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias updated"),
- (22000, 80908, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Update Instance Alias error"),
- (22000, 80909, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get Group"),
- (22000, 80910, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The group cant be found"),
- (22000, 80911, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get group error"),
- (22000, 80912, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get Group"),
- (22000, 80913, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The group cant be listed"),
- (22000, 80914, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List group error"),
- (22000, 80915, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List Users"),
- (22000, 80916, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The users cant be listed"),
- (22000, 80917, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List users error"),
- (22000, 80918, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete user"),
- (22000, 80919, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The users can't be deleted"),
- (22000, 80920, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete user error"),
- (22000, 80921, 15, 173, NULL, 1, 1, "Wazuh - Attempts to delete the KMS keys/users."),
- (22000, 80922, 15, 173, NULL, 1, 1, "Wazuh - Access to KMS keys/users."),
- (22000, 81100, 15, 173, NULL, 1, 1, "Wazuh - USB messages grouped."),
- (22000, 81101, 15, 173, NULL, 1, 1, "Wazuh - Attached USB Storage"),
- (22000, 81300, 15, 173, NULL, 1, 1, "Wazuh - Redis messages grouped."),
- (22000, 81301, 15, 173, NULL, 1, 1, "Wazuh - Redis: started"),
- (22000, 81302, 15, 173, NULL, 1, 1, "Wazuh - Redis: shutdown"),
- (22000, 81303, 15, 173, NULL, 1, 1, "Wazuh - Redis: Warning / Error"),
- (22000, 81304, 15, 173, NULL, 1, 1, "Wazuh - Redis: Client connected"),
- (22000, 81305, 15, 173, NULL, 1, 1, "Wazuh - Redis: Client closed connection"),
- (22000, 81400, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP messages grouped."),
- (22000, 81401, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation started."),
- (22000, 81402, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation finished."),
- (22000, 81403, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation finished with some failures."),
- (22000, 81501, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Error messages grouped."),
- (22000, 81502, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: OpenSCAP not installed."),
- (22000, 81503, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Impossible to execute OpenSCAP."),
- (22000, 81504, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Inexistent policy."),
- (22000, 81505, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Invalid policy."),
- (22000, 81506, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Problem executing oscap."),
- (22000, 81507, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Inexistent profile."),
- (22000, 81508, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Timeout expired"),
- (22000, 81509, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: xsltproc not installed."),
- (22000, 81520, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP XCCDF messages grouped."),
- (22000, 81521, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (passed)"),
- (22000, 81522, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not checked)"),
- (22000, 81523, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not applied)"),
- (22000, 81524, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (fixed)"),
- (22000, 81525, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (informational)"),
- (22000, 81526, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (error)"),
- (22000, 81527, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (unknown)"),
- (22000, 81528, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not selected)"),
- (22000, 81529, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
- (22000, 81530, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
- (22000, 81531, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
- (22000, 81540, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview."),
- (22000, 81541, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 90"),
- (22000, 81542, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 80"),
- (22000, 81543, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 50"),
- (22000, 81544, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 30"),
- (22000, 81550, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP OVAL messages grouped."),
- (22000, 81551, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (passed)"),
- (22000, 81552, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
- (22000, 81560, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview."),
- (22000, 81561, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 90"),
- (22000, 81562, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 80"),
- (22000, 81563, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 50"),
- (22000, 81564, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 30"),
- (22000, 81600, 15, 173, NULL, 1, 1, "Wazuh - Fortigat v3 messages grouped."),
- (22000, 81601, 15, 173, NULL, 1, 1, "Wazuh - Fortigate v4 messages grouped."),
- (22000, 81602, 15, 173, NULL, 1, 1, "Wazuh - Fortigate v5 messages grouped."),
- (22000, 81603, 15, 173, NULL, 1, 1, "Wazuh - Fortigate messages grouped."),
- (22000, 81604, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: IP Sec DPD Failed."),
- (22000, 81605, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall drop events from same source."),
- (22000, 81606, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Login failed."),
- (22000, 81607, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple failed login events from same source."),
- (22000, 81608, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Configuration changed."),
- (22000, 81609, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple changed configuration events from same source."),
- (22000, 81610, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Default tunneling setting. Could be IPS."),
- (22000, 81611, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple default tunneling setting events from same source."),
- (22000, 81612, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Firewall configuration changes"),
- (22000, 81613, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall edit events from same source."),
- (22000, 81614, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: SSL VPN User failed login attempt"),
- (22000, 81615, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall SSL VPN failed login events from same source."),
- (22000, 81616, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: User logout successful"),
- (22000, 81617, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall logout events from same source."),
- (22000, 81618, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Traffic to be aware of."),
- (22000, 81619, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple high traffic events from same source."),
- (22000, 81620, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: URL Blocked by Firewall."),
- (22000, 81621, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple URL blocked from same source."),
- (22000, 81622, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: VPN User connected."),
- (22000, 81623, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple vpn user connected from same source."),
- (22000, 81624, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: VPN User disconnected."),
- (22000, 81625, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple user disconnected events from same source."),
- (22000, 81626, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: User successfully logged into firewall interface."),
- (22000, 81627, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall login events from same source."),
- (22000, 81628, 15, 173, NULL, 1, 1, "Wazuh - Fortigate Attack Detected"),
- (22000, 81629, 15, 173, NULL, 1, 1, "Wazuh - Fortigate Attack Dropped"),
- (22000, 81700, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI messages grouped."),
- (22000, 81701, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Emergency event"),
- (22000, 81702, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Alert event"),
- (22000, 81703, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Critical event"),
- (22000, 81704, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Error event"),
- (22000, 81705, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Warning event"),
- (22000, 81706, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Notification event"),
- (22000, 81707, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Informational event"),
- (22000, 81708, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Debug event"),
- (22000, 81709, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Warning event: Authentication failure"),
- (22000, 81710, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI: Multiple authentication failures."),
- (22000, 81800, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN messages grouped."),
- (22000, 81801, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: User logged in"),
- (22000, 81802, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Concurrent connections"),
- (22000, 81803, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Connection Certificate Failed"),
- (22000, 81804, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Certificate failed - Possible revoked user"),
- (22000, 81900, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager messages grouped."),
- (22000, 81901, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Loging event"),
- (22000, 81902, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Authentication success"),
- (22000, 81903, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Authentication fail"),
- (22000, 81904, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Multiple authentication failures."),
- (22000, 82000, 15, 173, NULL, 1, 1, "Wazuh - Imperva messages grouped."),
- (22000, 82001, 15, 173, NULL, 1, 1, "Wazuh - Imperva: Event with high severity"),
- (22000, 82100, 15, 173, NULL, 1, 1, "Wazuh - Sophos alerts."),
- (22000, 82101, 15, 173, NULL, 1, 1, "Wazuh - Sophos Cloud Scheduled Scan started"),
- (22000, 82102, 15, 173, NULL, 1, 1, "Wazuh - Sophos Cloud Scheduled Scan completed"),
- (22000, 82103, 15, 173, NULL, 1, 1, "Wazuh - User has started on-access scanning for this machine."),
- (22000, 82104, 15, 173, NULL, 1, 1, "Wazuh - User has stopped on-access scanning for this machine."),
- (22000, 82105, 15, 173, NULL, 1, 1, "Wazuh - Sophos database updated"),
- (22000, 82200, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA syslog."),
- (22000, 82201, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA (apache format)"),
- (22000, 82202, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA messages grouped."),
- (22000, 82203, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA: Authentication fail"),
- (22000, 82400, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer messages grouped."),
- (22000, 82401, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL failed login attempt"),
- (22000, 82402, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL login attempt from unauthorized location"),
- (22000, 82403, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL client authentication bypass attempt"),
- (22000, 82404, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL show databases attempt"),
- (22000, 82405, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: APP-DETECT DNS request for potential malware"),
- (22000, 83000, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender messages grouped."),
- (22000, 83001, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender: detected potentially unwanted software"),
- (22000, 83002, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender: error when taking action on potentially unwanted software"),
- (22000, 83200, 15, 173, NULL, 1, 1, "Wazuh - The audit log was cleared"),
- (22000, 83201, 15, 173, NULL, 1, 1, "Wazuh - The Internet Explorer log file was cleared"),
- (22000, 83202, 15, 173, NULL, 1, 1, "Wazuh - The Event log service was started"),
- (22000, 85000, 15, 173, NULL, 1, 1, "Wazuh - SQL Server messages."),
- (22000, 85001, 15, 173, NULL, 1, 1, "Wazuh - Starting up database."),
- (22000, 85002, 15, 173, NULL, 1, 1, "Wazuh - Attempting to load library."),
- (22000, 85003, 15, 173, NULL, 1, 1, "Wazuh - SQL Server process ID."),
- (22000, 85004, 15, 173, NULL, 1, 1, "Wazuh - SQL Server login success."),
- (22000, 85005, 15, 173, NULL, 1, 1, "Wazuh - SQL Server login failed."),
- (22000, 85006, 15, 173, NULL, 1, 1, "Wazuh - SQL Server: Multiple authentication failures."),
- (22000, 85007, 15, 173, NULL, 1, 1, "Wazuh - SQL Server library use."),
- (22000, 85008, 15, 173, NULL, 1, 1, "Wazuh - SQL Server Network Interface library unregistered "),
- (22000, 85009, 15, 173, NULL, 1, 1, "Wazuh - SQL Server error."),
- (22000, 85010, 15, 173, NULL, 1, 1, "Wazuh - SQL Server filestream information."),
- (22000, 85500, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard Log."),
- (22000, 85501, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard: User authentication failed."),
- (22000, 85502, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard: Multiple authentication failures."),
- (22000, 85750, 15, 173, NULL, 1, 1, "Wazuh - MongoDB messages"),
- (22000, 85751, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Fatal message"),
- (22000, 85752, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Error message"),
- (22000, 85753, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Warning message"),
- (22000, 85754, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Debug message"),
- (22000, 85755, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Informational message"),
- (22000, 85756, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Connection accepted"),
- (22000, 85757, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: End connection"),
- (22000, 85758, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Successfully authentication"),
- (22000, 85759, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Failed authentication"),
- (22000, 85760, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Multiple authentication failures."),
- (22000, 85761, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Execute commands without the necessary privileges"),
- (22000, 86000, 15, 173, NULL, 1, 1, "Wazuh - Docker messages"),
- (22000, 86001, 15, 173, NULL, 1, 1, "Wazuh - Docker: Information message"),
- (22000, 86002, 15, 173, NULL, 1, 1, "Wazuh - Docker: Warning message"),
- (22000, 86003, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error message"),
- (22000, 86004, 15, 173, NULL, 1, 1, "Wazuh - Docker: Fatal message"),
- (22000, 86005, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error - unauthorized action"),
- (22000, 86006, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error - denied action"),
- (22000, 86250, 15, 173, NULL, 1, 1, "Wazuh - Jenkins messages"),
- (22000, 86251, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Information message"),
- (22000, 86252, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Warning message"),
- (22000, 86253, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Severe message"),
- (22000, 86254, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Installation successful"),
- (22000, 86255, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Started SSHD"),
- (22000, 86501, 15, 173, NULL, 1, 1, "Wazuh - Object Deleted."),
- (22000, 86502, 15, 173, NULL, 1, 1, "Wazuh - Object Deleted."),
- (22000, 86503, 15, 173, NULL, 1, 1, "Wazuh - S3 deleted object (high number of deleted object)."),
- (22000, 86800, 15, 173, NULL, 1, 1, "Wazuh - VShell message grouped."),
- (22000, 86801, 15, 173, NULL, 1, 1, "Wazuh - VShell connection attempt successful"),
- (22000, 86802, 15, 173, NULL, 1, 1, "Wazuh - VShell user failed to login or user does not exist"),
- (22000, 86803, 15, 173, NULL, 1, 1, "Wazuh - VShell user used the maximum number of password attempts."),
- (22000, 86804, 15, 173, NULL, 1, 1, "Wazuh - Host is trying to connect to VShell server but exists in the deny file."),
- (22000, 86805, 15, 173, NULL, 1, 1, "Wazuh - VShell user successfully authenticated."),
- (22000, 86806, 15, 173, NULL, 1, 1, "Wazuh - VShell multiple connection attempts within 2 minute by a host in the deny file, potential DOS or brute force attempt."),
- (22000, 86807, 15, 173, NULL, 1, 1, "Wazuh - VShell host has exceeded the number of failed login attempts and has been added to the Hosts Deny file."),
- (22000, 100001, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication failed from IP 1.1.1.1.");
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement