wazuh.sql

1. DELETE FROM plugin where id = '22000';
2. DELETE FROM plugin_sid where plugin_id = '22000';
3. INSERT IGNORE INTO plugin(id, type, name, description) VALUES(22000, 1, "Wazuh", "Wazuh host and endpoint security");
4. INSERT IGNORE INTO plugin_sid(plugin_id, sid, category_id, subcategory_id, class_id, reliability, priority, name) VALUES
5. (22000, 1, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all syslog rules."),
6. (22000, 2, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all firewall rules."),
7. (22000, 3, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all ids rules."),
8. (22000, 4, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all web rules."),
9. (22000, 5, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all web proxy rules."),
10. (22000, 6, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all windows rules."),
11. (22000, 7, 15, 173, NULL, 1, 1, "Wazuh - Generic template for all ossec rules."),
12. (22000, 500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of ossec rules."),
13. (22000, 501, 15, 173, NULL, 1, 1, "Wazuh - New ossec agent connected."),
14. (22000, 502, 15, 173, NULL, 1, 1, "Wazuh - Ossec server started."),
15. (22000, 503, 15, 173, NULL, 1, 1, "Wazuh - Ossec agent started."),
16. (22000, 504, 15, 173, NULL, 1, 1, "Wazuh - Ossec agent disconnected."),
17. (22000, 509, 15, 173, NULL, 1, 1, "Wazuh - Rootcheck event."),
18. (22000, 510, 15, 173, NULL, 1, 1, "Wazuh - Host-based anomaly detection event (rootcheck)."),
19. (22000, 511, 15, 173, NULL, 1, 1, "Wazuh - Ignored common NTFS ADS entries."),
20. (22000, 512, 15, 173, NULL, 1, 1, "Wazuh - Windows Audit event."),
21. (22000, 513, 15, 173, NULL, 1, 1, "Wazuh - Windows malware detected."),
22. (22000, 514, 15, 173, NULL, 1, 1, "Wazuh - Windows application monitor event."),
23. (22000, 515, 15, 173, NULL, 1, 1, "Wazuh - Ignoring rootcheck/syscheck scan messages."),
24. (22000, 516, 15, 173, NULL, 1, 1, "Wazuh - System Audit event."),
25. (22000, 518, 15, 173, NULL, 1, 1, "Wazuh - Windows Adware/Spyware application found."),
26. (22000, 519, 15, 173, NULL, 1, 1, "Wazuh - System Audit: Vulnerable web application found."),
27. (22000, 520, 15, 173, NULL, 1, 1, "Wazuh - Trying to add an agent with duplicated IP."),
28. (22000, 530, 15, 173, NULL, 1, 1, "Wazuh - OSSEC process monitoring rules."),
29. (22000, 531, 15, 173, NULL, 1, 1, "Wazuh - Partition usage reached 100% (disk space monitor)."),
30. (22000, 532, 15, 173, NULL, 1, 1, "Wazuh - Ignoring external medias."),
31. (22000, 533, 15, 173, NULL, 1, 1, "Wazuh - Listened ports status (netstat) changed (new port opened or closed)."),
32. (22000, 534, 15, 173, NULL, 1, 1, "Wazuh - List of logged in users. It will not be alerted by default."),
33. (22000, 535, 15, 173, NULL, 1, 1, "Wazuh - List of the last logged in users."),
34. (22000, 550, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed."),
35. (22000, 551, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed again (2nd time)."),
36. (22000, 552, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum changed again (3rd time)."),
37. (22000, 553, 15, 173, NULL, 1, 1, "Wazuh - File deleted. Unable to retrieve checksum."),
38. (22000, 554, 15, 173, NULL, 1, 1, "Wazuh - File added to the system."),
39. (22000, 555, 15, 173, NULL, 1, 1, "Wazuh - Integrity checksum for agentless device changed."),
40. (22000, 580, 15, 173, NULL, 1, 1, "Wazuh - Host information changed."),
41. (22000, 581, 15, 173, NULL, 1, 1, "Wazuh - Host information added."),
42. (22000, 591, 15, 173, NULL, 1, 1, "Wazuh - Log file rotated."),
43. (22000, 592, 15, 173, NULL, 1, 1, "Wazuh - Log file size reduced."),
44. (22000, 593, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Event log cleared."),
45. (22000, 594, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed"),
46. (22000, 595, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed Again (2nd time)"),
47. (22000, 596, 15, 173, NULL, 1, 1, "Wazuh - Registry Integrity Checksum Changed Again (3rd time)"),
48. (22000, 597, 15, 173, NULL, 1, 1, "Wazuh - Registry Entry Deleted. Unable to Retrieve Checksum"),
49. (22000, 598, 15, 173, NULL, 1, 1, "Wazuh - Registry Entry Added to the System"),
50. (22000, 600, 15, 173, NULL, 1, 1, "Wazuh - Active Response Messages Grouped"),
51. (22000, 601, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by firewall-drop.sh Active Response"),
52. (22000, 602, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by firewall-drop.sh Active Response"),
53. (22000, 603, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by host-deny.sh Active Response"),
54. (22000, 604, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by host-deny.sh Active Response"),
55. (22000, 605, 15, 173, NULL, 1, 1, "Wazuh - Host Blocked by $(script) Active Response"),
56. (22000, 606, 15, 173, NULL, 1, 1, "Wazuh - Host Unblocked by $(script) Active Response"),
57. (22000, 607, 15, 173, NULL, 1, 1, "Wazuh - Active response: $(script) - $(type)"),
58. (22000, 700, 15, 173, NULL, 1, 1, "Wazuh - Logcollector Messages Grouped"),
59. (22000, 701, 15, 173, NULL, 1, 1, "Wazuh - Ignore informational messages (usually at startup)"),
60. (22000, 200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of wazuh rules."),
61. (22000, 201, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue rule"),
62. (22000, 202, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is $(level) full."),
63. (22000, 203, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is full. Events may be lost."),
64. (22000, 204, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is flooded. Check the agent configuration."),
65. (22000, 205, 15, 173, NULL, 1, 1, "Wazuh - Agent event queue is back to normal load."),
66. (22000, 1001, 15, 173, NULL, 1, 1, "Wazuh - File missing. Root access unrestricted."),
67. (22000, 1002, 15, 173, NULL, 1, 1, "Wazuh - Unknown problem somewhere in the system."),
68. (22000, 1003, 15, 173, NULL, 1, 1, "Wazuh - Non standard syslog message (size too large)."),
69. (22000, 1004, 15, 173, NULL, 1, 1, "Wazuh - Syslogd exiting (logging stopped)."),
70. (22000, 1005, 15, 173, NULL, 1, 1, "Wazuh - Syslogd restarted."),
71. (22000, 1006, 15, 173, NULL, 1, 1, "Wazuh - Syslogd restarted."),
72. (22000, 1007, 15, 173, NULL, 1, 1, "Wazuh - File system full."),
73. (22000, 1008, 15, 173, NULL, 1, 1, "Wazuh - Process exiting (killed)."),
74. (22000, 1009, 15, 173, NULL, 1, 1, "Wazuh - Ignoring known false positives on rule 1002.."),
75. (22000, 2100, 15, 173, NULL, 1, 1, "Wazuh - NFS rules grouped."),
76. (22000, 2101, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS share."),
77. (22000, 2102, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS directory."),
78. (22000, 2103, 15, 173, NULL, 1, 1, "Wazuh - Unable to mount the NFS directory."),
79. (22000, 2104, 15, 173, NULL, 1, 1, "Wazuh - Automount informative message"),
80. (22000, 2301, 15, 173, NULL, 1, 1, "Wazuh - xinetd: Excessive number connections to a service."),
81. (22000, 2501, 15, 173, NULL, 1, 1, "Wazuh - syslog: User authentication failure."),
82. (22000, 2502, 15, 173, NULL, 1, 1, "Wazuh - syslog: User missed the password more than one time"),
83. (22000, 2503, 15, 173, NULL, 1, 1, "Wazuh - syslog: Connection blocked by Tcp Wrappers."),
84. (22000, 2504, 15, 173, NULL, 1, 1, "Wazuh - syslog: Illegal root login. "),
85. (22000, 2505, 15, 173, NULL, 1, 1, "Wazuh - syslog: Physical root login."),
86. (22000, 2506, 15, 173, NULL, 1, 1, "Wazuh - syslog: Pop3 Authentication passed."),
87. (22000, 2507, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP group."),
88. (22000, 2508, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP connection open."),
89. (22000, 2509, 15, 173, NULL, 1, 1, "Wazuh - OpenLDAP authentication failed."),
90. (22000, 2550, 15, 173, NULL, 1, 1, "Wazuh - rshd messages grouped."),
91. (22000, 2551, 15, 173, NULL, 1, 1, "Wazuh - Connection to rshd from unprivileged port. Possible network scan."),
92. (22000, 2701, 15, 173, NULL, 1, 1, "Wazuh - Ignoring procmail messages."),
93. (22000, 2800, 15, 173, NULL, 1, 1, "Wazuh - Pre-match rule for smartd."),
94. (22000, 2801, 15, 173, NULL, 1, 1, "Wazuh - Smartd Started but not configured"),
95. (22000, 2802, 15, 173, NULL, 1, 1, "Wazuh - Smartd configuration problem"),
96. (22000, 2803, 15, 173, NULL, 1, 1, "Wazuh - Device configured but not available to Smartd"),
97. (22000, 5100, 15, 173, NULL, 1, 1, "Wazuh - Pre-match rule for kernel messages"),
98. (22000, 5101, 15, 173, NULL, 1, 1, "Wazuh - Informative message from the kernel."),
99. (22000, 5102, 15, 173, NULL, 1, 1, "Wazuh - Informative message from the kernel"),
100. (22000, 5103, 15, 173, NULL, 1, 1, "Wazuh - Error message from the kernel. Ping of death attack."),
101. (22000, 5104, 15, 173, NULL, 1, 1, "Wazuh - Interface entered in promiscuous(sniffing) mode."),
102. (22000, 5105, 15, 173, NULL, 1, 1, "Wazuh - Invalid request to /dev/fd0 (bug on the kernel)."),
103. (22000, 5106, 15, 173, NULL, 1, 1, "Wazuh - NFS incompability between Linux and Solaris."),
104. (22000, 5107, 15, 173, NULL, 1, 1, "Wazuh - NFS incompability between Linux and Solaris."),
105. (22000, 5108, 15, 173, NULL, 1, 1, "Wazuh - System running out of memory. Availability of the system is in risk."),
106. (22000, 5109, 15, 173, NULL, 1, 1, "Wazuh - Kernel Input/Output error"),
107. (22000, 5110, 15, 173, NULL, 1, 1, "Wazuh - IRC misconfiguration"),
108. (22000, 5111, 15, 173, NULL, 1, 1, "Wazuh - Kernel device error."),
109. (22000, 5112, 15, 173, NULL, 1, 1, "Wazuh - Kernel usbhid probe error (ignored)."),
110. (22000, 5113, 15, 173, NULL, 1, 1, "Wazuh - System is shutting down."),
111. (22000, 5130, 15, 173, NULL, 1, 1, "Wazuh - Monitor ADSL line is down."),
112. (22000, 5131, 15, 173, NULL, 1, 1, "Wazuh - Monitor ADSL line is up."),
113. (22000, 5200, 15, 173, NULL, 1, 1, "Wazuh - Ignoring hpiod for producing useless logs."),
114. (22000, 2830, 15, 173, NULL, 1, 1, "Wazuh - Crontab rule group."),
115. (22000, 2831, 15, 173, NULL, 1, 1, "Wazuh - Wrong crond configuration"),
116. (22000, 2834, 15, 173, NULL, 1, 1, "Wazuh - Crontab opened for editing."),
117. (22000, 2832, 15, 173, NULL, 1, 1, "Wazuh - Crontab entry changed."),
118. (22000, 2833, 15, 173, NULL, 1, 1, "Wazuh - Root's crontab entry changed."),
119. (22000, 5300, 15, 173, NULL, 1, 1, "Wazuh - Initial grouping for su messages."),
120. (22000, 5301, 15, 173, NULL, 1, 1, "Wazuh - User missed the password to change UID (user id)."),
121. (22000, 5302, 15, 173, NULL, 1, 1, "Wazuh - User missed the password to change UID to root."),
122. (22000, 5303, 15, 173, NULL, 1, 1, "Wazuh - User successfully changed UID to root."),
123. (22000, 5304, 15, 173, NULL, 1, 1, "Wazuh - User successfully changed UID."),
124. (22000, 5305, 15, 173, NULL, 1, 1, "Wazuh - First time (su) is executed by user."),
125. (22000, 5306, 15, 173, NULL, 1, 1, "Wazuh - A user has attempted to su to an unknown class."),
126. (22000, 7101, 15, 173, NULL, 1, 1, "Wazuh - Problems with the tripwire checking"),
127. (22000, 5901, 15, 173, NULL, 1, 1, "Wazuh - New group added to the system"),
128. (22000, 5902, 15, 173, NULL, 1, 1, "Wazuh - New user added to the system"),
129. (22000, 5903, 15, 173, NULL, 1, 1, "Wazuh - Group (or user) deleted from the system"),
130. (22000, 5904, 15, 173, NULL, 1, 1, "Wazuh - Information from the user was changed"),
131. (22000, 5905, 15, 173, NULL, 1, 1, "Wazuh - useradd failed."),
132. (22000, 5400, 15, 173, NULL, 1, 1, "Wazuh - Initial group for sudo messages"),
133. (22000, 5401, 15, 173, NULL, 1, 1, "Wazuh - Failed attempt to run sudo"),
134. (22000, 5402, 15, 173, NULL, 1, 1, "Wazuh - Successful sudo to ROOT executed"),
135. (22000, 5403, 15, 173, NULL, 1, 1, "Wazuh - First time user executed sudo."),
136. (22000, 5404, 15, 173, NULL, 1, 1, "Wazuh - Three failed attempts to run sudo"),
137. (22000, 5405, 15, 173, NULL, 1, 1, "Wazuh - Unauthorized user attempted to use sudo."),
138. (22000, 9100, 15, 173, NULL, 1, 1, "Wazuh - PPTPD messages grouped"),
139. (22000, 9101, 15, 173, NULL, 1, 1, "Wazuh - PPTPD failed message (communication error)"),
140. (22000, 9102, 15, 173, NULL, 1, 1, "Wazuh - PPTPD communication error"),
141. (22000, 10100, 15, 173, NULL, 1, 1, "Wazuh - First time user logged in."),
142. (22000, 9200, 15, 173, NULL, 1, 1, "Wazuh - Squid syslog messages grouped"),
143. (22000, 9201, 15, 173, NULL, 1, 1, "Wazuh - Squid debug message"),
144. (22000, 2900, 15, 173, NULL, 1, 1, "Wazuh - Dpkg (Debian Package) log."),
145. (22000, 2901, 15, 173, NULL, 1, 1, "Wazuh - New dpkg (Debian Package) requested to install."),
146. (22000, 2902, 15, 173, NULL, 1, 1, "Wazuh - New dpkg (Debian Package) installed."),
147. (22000, 2903, 15, 173, NULL, 1, 1, "Wazuh - Dpkg (Debian Package) removed."),
148. (22000, 2930, 15, 173, NULL, 1, 1, "Wazuh - Yum logs."),
149. (22000, 2931, 15, 173, NULL, 1, 1, "Wazuh - Yum logs."),
150. (22000, 2932, 15, 173, NULL, 1, 1, "Wazuh - New Yum package installed."),
151. (22000, 2933, 15, 173, NULL, 1, 1, "Wazuh - Yum package updated."),
152. (22000, 2934, 15, 173, NULL, 1, 1, "Wazuh - Yum package deleted."),
153. (22000, 2935, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the mptscrih rules."),
154. (22000, 2936, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the mptbase rules."),
155. (22000, 2937, 15, 173, NULL, 1, 1, "Wazuh - Posible Disk failure. SCSI controller error."),
156. (22000, 2938, 15, 173, NULL, 1, 1, "Wazuh - SCSI RAID ARRAY ERROR, drive failed."),
157. (22000, 2939, 15, 173, NULL, 1, 1, "Wazuh - SCSI RAID is now in a degraded status."),
158. (22000, 2940, 15, 173, NULL, 1, 1, "Wazuh - NetworkManager grouping."),
159. (22000, 2941, 15, 173, NULL, 1, 1, "Wazuh - Incorrect chain/target/match."),
160. (22000, 2942, 15, 173, NULL, 1, 1, "Wazuh - Uninteresting gnome error."),
161. (22000, 2943, 15, 173, NULL, 1, 1, "Wazuh - nouveau driver grouping"),
162. (22000, 2944, 15, 173, NULL, 1, 1, "Wazuh - Uninteresting nouveau error."),
163. (22000, 2945, 15, 173, NULL, 1, 1, "Wazuh - rsyslog may be dropping messages due to rate-limiting."),
164. (22000, 2960, 15, 173, NULL, 1, 1, "Wazuh - User added to group."),
165. (22000, 2961, 15, 173, NULL, 1, 1, "Wazuh - User added to group sudo."),
166. (22000, 3100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the sendmail rules."),
167. (22000, 3101, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the sendmail reject rules."),
168. (22000, 3102, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain does not have any valid MX record (Requested action aborted)."),
169. (22000, 3103, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Rejected by access list (55x: Requested action not taken)."),
170. (22000, 3104, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Attepmt to use mail server as relay (550: Requested action not taken)."),
171. (22000, 3105, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain is not found (553: Requested action not taken)."),
172. (22000, 3106, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender address does not have domain (553: Requested action not taken)."),
173. (22000, 3107, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail rejected message."),
174. (22000, 3108, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail rejected due to pre-greeting."),
175. (22000, 3109, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sendmail save mail panic."),
176. (22000, 3151, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Sender domain has bogus MX record. It should not be sending e-mail."),
177. (22000, 3152, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."),
178. (22000, 3153, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple relaying attempts of spam."),
179. (22000, 3154, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."),
180. (22000, 3155, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple attempts to send e-mail from invalid/unknown sender."),
181. (22000, 3156, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple rejected e-mails from same source ip."),
182. (22000, 3158, 15, 173, NULL, 1, 1, "Wazuh - sendmail: Multiple pre-greetings rejects."),
183. (22000, 3190, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the smf-sav sendmail milter rules."),
184. (22000, 3191, 15, 173, NULL, 1, 1, "Wazuh - sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."),
185. (22000, 3300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix reject rules."),
186. (22000, 3301, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Attempt to use mail server as relay (client host rejected)."),
187. (22000, 3302, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Rejected by access list (Requested action not taken)."),
188. (22000, 3303, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Sender domain is not found (450: Requested mail action not taken)."),
189. (22000, 3304, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."),
190. (22000, 3305, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Receipent address must contain FQDN (504: Command parameter not implemented)."),
191. (22000, 3306, 15, 173, NULL, 1, 1, "Wazuh - Postfix: IP Address black-listed by anti-spam (blocked)."),
192. (22000, 3320, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix rules."),
193. (22000, 3330, 15, 173, NULL, 1, 1, "Wazuh - Postfix process error."),
194. (22000, 3332, 15, 173, NULL, 1, 1, "Wazuh - Postfix SASL authentication failure."),
195. (22000, 3331, 15, 173, NULL, 1, 1, "Wazuh - Postfix insufficient disk space error."),
196. (22000, 3334, 15, 173, NULL, 1, 1, "Wazuh - Postfix started."),
197. (22000, 3335, 15, 173, NULL, 1, 1, "Wazuh - Postfix: too many errors after RCPT from unkown"),
198. (22000, 3333, 15, 173, NULL, 1, 1, "Wazuh - Postfix stopped."),
199. (22000, 3351, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple relaying attempts of spam."),
200. (22000, 3352, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."),
201. (22000, 3353, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."),
202. (22000, 3354, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple misuse of SMTP service (bad sequence of commands)."),
203. (22000, 3355, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."),
204. (22000, 3356, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."),
205. (22000, 3357, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Multiple SASL authentication failures."),
206. (22000, 3390, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the clamsmtpd rules."),
207. (22000, 3395, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the postfix warning rules."),
208. (22000, 3396, 15, 173, NULL, 1, 1, "Wazuh - Postfix: hostname verification failed"),
209. (22000, 3397, 15, 173, NULL, 1, 1, "Wazuh - Postfix: RBL lookup error: Host or domain name not found"),
210. (22000, 3398, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Illegal address from unknown sender"),
211. (22000, 3399, 15, 173, NULL, 1, 1, "Wazuh - Postfix: Ignore permission warning"),
212. (22000, 3500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the spamd rules"),
213. (22000, 3501, 15, 173, NULL, 1, 1, "Wazuh - SPAMD result message (not very usefull here)."),
214. (22000, 3502, 15, 173, NULL, 1, 1, "Wazuh - Spamd debug event (reading message)."),
215. (22000, 3600, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the imapd rules."),
216. (22000, 3601, 15, 173, NULL, 1, 1, "Wazuh - Imapd user login failed."),
217. (22000, 3602, 15, 173, NULL, 1, 1, "Wazuh - Imapd user login."),
218. (22000, 3603, 15, 173, NULL, 1, 1, "Wazuh - Imapd user logout."),
219. (22000, 3651, 15, 173, NULL, 1, 1, "Wazuh - Imapd Multiple failed logins from same source ip."),
220. (22000, 3700, 15, 173, NULL, 1, 1, "Wazuh - Grouping of mailscanner rules."),
221. (22000, 3701, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: Non spam message. Ignored."),
222. (22000, 3702, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: spam detected."),
223. (22000, 3751, 15, 173, NULL, 1, 1, "Wazuh - mailscanner: Multiple attempts of spam."),
224. (22000, 3800, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Exchange rules."),
225. (22000, 3801, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: E-mail rcpt is not valid (invalid account)."),
226. (22000, 3802, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: E-mail 500 error code."),
227. (22000, 3851, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: Multiple e-mail attempts to an invalid account."),
228. (22000, 3852, 15, 173, NULL, 1, 1, "Wazuh - ms-exchange: Multiple e-mail 500 error code (spam)."),
229. (22000, 3900, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the courier rules."),
230. (22000, 3901, 15, 173, NULL, 1, 1, "Wazuh - New courier (imap/pop3) connection."),
231. (22000, 3902, 15, 173, NULL, 1, 1, "Wazuh - Courier (imap/pop3) authentication failed."),
232. (22000, 3903, 15, 173, NULL, 1, 1, "Wazuh - Courier logout/timeout."),
233. (22000, 3904, 15, 173, NULL, 1, 1, "Wazuh - Courier (imap/pop3) authentication success."),
234. (22000, 3910, 15, 173, NULL, 1, 1, "Wazuh - Courier brute force (multiple failed logins)."),
235. (22000, 3911, 15, 173, NULL, 1, 1, "Wazuh - Courier: Multiple connection attempts from same source."),
236. (22000, 4100, 15, 173, NULL, 1, 1, "Wazuh - Firewall rules grouped."),
237. (22000, 4101, 15, 173, NULL, 1, 1, "Wazuh - Firewall drop event."),
238. (22000, 4151, 15, 173, NULL, 1, 1, "Wazuh - Multiple Firewall drop events from same source."),
239. (22000, 4300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of PIX rules"),
240. (22000, 4310, 15, 173, NULL, 1, 1, "Wazuh - PIX alert message."),
241. (22000, 4311, 15, 173, NULL, 1, 1, "Wazuh - PIX critical message."),
242. (22000, 4312, 15, 173, NULL, 1, 1, "Wazuh - PIX error message."),
243. (22000, 4313, 15, 173, NULL, 1, 1, "Wazuh - PIX warning message."),
244. (22000, 4314, 15, 173, NULL, 1, 1, "Wazuh - PIX notification/informational message."),
245. (22000, 4315, 15, 173, NULL, 1, 1, "Wazuh - PIX debug message."),
246. (22000, 4321, 15, 173, NULL, 1, 1, "Wazuh - PIX: Failed login attempt."),
247. (22000, 4322, 15, 173, NULL, 1, 1, "Wazuh - PIX: Privilege changed."),
248. (22000, 4323, 15, 173, NULL, 1, 1, "Wazuh - PIX: Successful login."),
249. (22000, 4324, 15, 173, NULL, 1, 1, "Wazuh - PIX: Password mismatch while running 'enable' on the PIX."),
250. (22000, 4325, 15, 173, NULL, 1, 1, "Wazuh - PIX: ARP collision detected."),
251. (22000, 4326, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attempt to connect from a blocked (shunned) IP."),
252. (22000, 4327, 15, 173, NULL, 1, 1, "Wazuh - PIX: Connection limit exceeded."),
253. (22000, 4330, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
254. (22000, 4331, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
255. (22000, 4332, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected."),
256. (22000, 4333, 15, 173, NULL, 1, 1, "Wazuh - PIX: Attack in progress detected"),
257. (22000, 4334, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) authentication failed."),
258. (22000, 4335, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) authentication successful."),
259. (22000, 4336, 15, 173, NULL, 1, 1, "Wazuh - PIX: AAA (VPN) user locked out."),
260. (22000, 4337, 15, 173, NULL, 1, 1, "Wazuh - PIX: The PIX is disallowing new connections."),
261. (22000, 4338, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall failover pair communication problem."),
262. (22000, 4339, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall configuration deleted."),
263. (22000, 4340, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall configuration changed."),
264. (22000, 4341, 15, 173, NULL, 1, 1, "Wazuh - PIX: Firewall command executed (for accounting only)."),
265. (22000, 4342, 15, 173, NULL, 1, 1, "Wazuh - PIX: User created or modified on the Firewall."),
266. (22000, 4380, 15, 173, NULL, 1, 1, "Wazuh - Multiple PIX alert messages."),
267. (22000, 4381, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple critical messages."),
268. (22000, 4382, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple error messages."),
269. (22000, 4383, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple warning messages."),
270. (22000, 4385, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple attack in progress messages."),
271. (22000, 4386, 15, 173, NULL, 1, 1, "Wazuh - PIX: Multiple AAA (VPN) authentication failures."),
272. (22000, 4500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Netscreen Firewall rules"),
273. (22000, 4501, 15, 173, NULL, 1, 1, "Wazuh - Netscreen notification message."),
274. (22000, 4502, 15, 173, NULL, 1, 1, "Wazuh - Netscreen warning message."),
275. (22000, 4503, 15, 173, NULL, 1, 1, "Wazuh - Netscreen critical/alert message."),
276. (22000, 4513, 15, 173, NULL, 1, 1, "Wazuh - Netscreen critical/alert message."),
277. (22000, 4504, 15, 173, NULL, 1, 1, "Wazuh - Netscreen informational message."),
278. (22000, 4505, 15, 173, NULL, 1, 1, "Wazuh - Netscreen Erase sequence started."),
279. (22000, 4506, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Successfull admin login"),
280. (22000, 4507, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Successfull admin login"),
281. (22000, 4508, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: policy changed."),
282. (22000, 4509, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: configuration changed."),
283. (22000, 4550, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple critical messages from same source IP."),
284. (22000, 4551, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple critical messages."),
285. (22000, 4552, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple alert messages from same source IP."),
286. (22000, 4553, 15, 173, NULL, 1, 1, "Wazuh - Netscreen firewall: Multiple alert messages."),
287. (22000, 4560, 15, 173, NULL, 1, 1, "Wazuh - netscreen detected a SYN flood."),
288. (22000, 4700, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Cisco IOS rules."),
289. (22000, 4710, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS emergency message."),
290. (22000, 4711, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS alert message."),
291. (22000, 4712, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS critical message."),
292. (22000, 4713, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS error message."),
293. (22000, 4714, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS warning message."),
294. (22000, 4715, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS notification message."),
295. (22000, 4716, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS informational message."),
296. (22000, 4717, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS debug message."),
297. (22000, 4721, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS router configuration changed."),
298. (22000, 4722, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS: Successful login to the router."),
299. (22000, 4724, 15, 173, NULL, 1, 1, "Wazuh - Cisco IOS: Failed login to the router."),
300. (22000, 4800, 15, 173, NULL, 1, 1, "Wazuh - SonicWall messages grouped."),
301. (22000, 4801, 15, 173, NULL, 1, 1, "Wazuh - SonicWall critical message."),
302. (22000, 4802, 15, 173, NULL, 1, 1, "Wazuh - SonicWall critical message."),
303. (22000, 4803, 15, 173, NULL, 1, 1, "Wazuh - SonicWall error message."),
304. (22000, 4804, 15, 173, NULL, 1, 1, "Wazuh - SonicWall warning message."),
305. (22000, 4805, 15, 173, NULL, 1, 1, "Wazuh - SonicWall notice message."),
306. (22000, 4806, 15, 173, NULL, 1, 1, "Wazuh - SonicWall informational message."),
307. (22000, 4807, 15, 173, NULL, 1, 1, "Wazuh - SonicWall debug message."),
308. (22000, 4810, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Firewall administrator login."),
309. (22000, 4811, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Firewall authentication failure."),
310. (22000, 4850, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Multiple firewall warning messages."),
311. (22000, 4851, 15, 173, NULL, 1, 1, "Wazuh - SonicWall: Multiple firewall error messages."),
312. (22000, 5500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the pam_unix rules."),
313. (22000, 5501, 15, 173, NULL, 1, 1, "Wazuh - PAM: Login session opened."),
314. (22000, 5502, 15, 173, NULL, 1, 1, "Wazuh - PAM: Login session closed."),
315. (22000, 5503, 15, 173, NULL, 1, 1, "Wazuh - PAM: User login failed."),
316. (22000, 5504, 15, 173, NULL, 1, 1, "Wazuh - PAM: Attempt to login with an invalid user."),
317. (22000, 5521, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring Annoying Ubuntu/debian cron login events."),
318. (22000, 5522, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring Annoying Ubuntu/debian cron login events."),
319. (22000, 5523, 15, 173, NULL, 1, 1, "Wazuh - PAM: Ignoring events with a user or a password."),
320. (22000, 5551, 15, 173, NULL, 1, 1, "Wazuh - PAM: Multiple failed logins in a small period of time."),
321. (22000, 5552, 15, 173, NULL, 1, 1, "Wazuh - PAM and gdm are not playing nicely."),
322. (22000, 5553, 15, 173, NULL, 1, 1, "Wazuh - PAM misconfiguration."),
323. (22000, 5554, 15, 173, NULL, 1, 1, "Wazuh - PAM misconfiguration."),
324. (22000, 5555, 15, 173, NULL, 1, 1, "Wazuh - PAM: User changed password."),
325. (22000, 5556, 15, 173, NULL, 1, 1, "Wazuh - unix_chkpwd grouping."),
326. (22000, 5557, 15, 173, NULL, 1, 1, "Wazuh - unix_chkpwd: Password check failed."),
327. (22000, 5600, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the telnetd rules"),
328. (22000, 5601, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Connection refused by TCP Wrappers."),
329. (22000, 5602, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Remote host established a telnet connection."),
330. (22000, 5603, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Remote host invalid connection."),
331. (22000, 5604, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Reverse lookup error (bad hostname config)."),
332. (22000, 5631, 15, 173, NULL, 1, 1, "Wazuh - telnetd: Multiple connection attempts from same source (possible scan)."),
333. (22000, 5700, 15, 173, NULL, 1, 1, "Wazuh - SSHD messages grouped."),
334. (22000, 5701, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible attack on the ssh server (or version gathering)."),
335. (22000, 5702, 15, 173, NULL, 1, 1, "Wazuh - sshd: Reverse lookup error (bad ISP or attack)."),
336. (22000, 5703, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible breakin attempt (high number of reverse lookup errors)."),
337. (22000, 5704, 15, 173, NULL, 1, 1, "Wazuh - sshd: Timeout while logging in."),
338. (22000, 5705, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible scan or breakin attempt (high number of login timeouts)."),
339. (22000, 5706, 15, 173, NULL, 1, 1, "Wazuh - sshd: insecure connection attempt (scan)."),
340. (22000, 5707, 15, 173, NULL, 1, 1, "Wazuh - sshd: OpenSSH challenge-response exploit."),
341. (22000, 5709, 15, 173, NULL, 1, 1, "Wazuh - sshd: Useless SSHD message without an user/ip and context."),
342. (22000, 5710, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to login using a non-existent user"),
343. (22000, 5711, 15, 173, NULL, 1, 1, "Wazuh - sshd: Useless/Duplicated SSHD message without a user/ip."),
344. (22000, 5712, 15, 173, NULL, 1, 1, "Wazuh - sshd: brute force trying to get access to the system."),
345. (22000, 5713, 15, 173, NULL, 1, 1, "Wazuh - sshd: Corrupted bytes on SSHD."),
346. (22000, 5714, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSH CRC-32 Compensation attack"),
347. (22000, 5715, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication success."),
348. (22000, 5716, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication failed."),
349. (22000, 5717, 15, 173, NULL, 1, 1, "Wazuh - sshd: configuration error (moduli)."),
350. (22000, 5718, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to login using a denied user."),
351. (22000, 5719, 15, 173, NULL, 1, 1, "Wazuh - sshd: Multiple access attempts using a denied user."),
352. (22000, 5720, 15, 173, NULL, 1, 1, "Wazuh - sshd: Multiple authentication failures."),
353. (22000, 5721, 15, 173, NULL, 1, 1, "Wazuh - sshd: System disconnected from sshd."),
354. (22000, 5722, 15, 173, NULL, 1, 1, "Wazuh - sshd: ssh connection closed."),
355. (22000, 5723, 15, 173, NULL, 1, 1, "Wazuh - sshd: key error."),
356. (22000, 5724, 15, 173, NULL, 1, 1, "Wazuh - sshd: key error."),
357. (22000, 5725, 15, 173, NULL, 1, 1, "Wazuh - sshd: Host ungracefully disconnected."),
358. (22000, 5726, 15, 173, NULL, 1, 1, "Wazuh - sshd: Unknown PAM module, PAM misconfiguration."),
359. (22000, 5727, 15, 173, NULL, 1, 1, "Wazuh - sshd: Attempt to start sshd when something already bound to the port."),
360. (22000, 5728, 15, 173, NULL, 1, 1, "Wazuh - sshd: Authentication services were not able to retrieve user credentials."),
361. (22000, 5729, 15, 173, NULL, 1, 1, "Wazuh - sshd: Debug message."),
362. (22000, 5730, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSHD is not accepting connections."),
363. (22000, 5731, 15, 173, NULL, 1, 1, "Wazuh - sshd: SSH Scanning."),
364. (22000, 5732, 15, 173, NULL, 1, 1, "Wazuh - sshd: Possible port forwarding failure."),
365. (22000, 5733, 15, 173, NULL, 1, 1, "Wazuh - sshd: User entered incorrect password."),
366. (22000, 5734, 15, 173, NULL, 1, 1, "Wazuh - sshd: sshd could not load one or more host keys."),
367. (22000, 5735, 15, 173, NULL, 1, 1, "Wazuh - sshd: Failed write due to one host disappearing."),
368. (22000, 5736, 15, 173, NULL, 1, 1, "Wazuh - sshd: Connection reset or aborted."),
369. (22000, 5737, 15, 173, NULL, 1, 1, "Wazuh - sshd: cannot bind to configured address."),
370. (22000, 5738, 15, 173, NULL, 1, 1, "Wazuh - sshd: pam_loginuid could not open loginuid."),
371. (22000, 5739, 15, 173, NULL, 1, 1, "Wazuh - sshd: configuration error (AuthorizedKeysCommand)"),
372. (22000, 5740, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection reset by peer"),
373. (22000, 5741, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection refused"),
374. (22000, 5742, 15, 173, NULL, 1, 1, "Wazuh - sshd: connection timed out"),
375. (22000, 5743, 15, 173, NULL, 1, 1, "Wazuh - sshd: no route to host"),
376. (22000, 5744, 15, 173, NULL, 1, 1, "Wazuh - sshd: port forwarding issue"),
377. (22000, 5745, 15, 173, NULL, 1, 1, "Wazuh - sshd: transport endpoint is not connected"),
378. (22000, 5746, 15, 173, NULL, 1, 1, "Wazuh - sshd: get_remote_port failed"),
379. (22000, 5747, 15, 173, NULL, 1, 1, "Wazuh - sshd: bad client public DH value"),
380. (22000, 5748, 15, 173, NULL, 1, 1, "Wazuh - sshd: corrupted MAC on input"),
381. (22000, 5749, 15, 173, NULL, 1, 1, "Wazuh - sshd: bad packet length"),
382. (22000, 5750, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client."),
383. (22000, 5751, 15, 173, NULL, 1, 1, "Wazuh - sshd: No hostkey alg."),
384. (22000, 5752, 15, 173, NULL, 1, 1, "Wazuh - sshd: Client did not offer an acceptable key exchange method."),
385. (22000, 5753, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client, no matching cipher."),
386. (22000, 5754, 15, 173, NULL, 1, 1, "Wazuh - sshd: failed to create a session."),
387. (22000, 5755, 15, 173, NULL, 1, 1, "Wazuh - sshd: Authentication refused due to owner/permissions of authorized_keys."),
388. (22000, 5756, 15, 173, NULL, 1, 1, "Wazuh - sshd: subsystem request failed."),
389. (22000, 5757, 15, 173, NULL, 1, 1, "Wazuh - Bad DNS mapping."),
390. (22000, 5758, 15, 173, NULL, 1, 1, "Wazuh - Maximum authentication attempts exceeded."),
391. (22000, 5759, 15, 173, NULL, 1, 1, "Wazuh - sshd: could not negotiate with client, no matching mac."),
392. (22000, 6100, 15, 173, NULL, 1, 1, "Wazuh - Solaris BSM Auditing messages grouped."),
393. (22000, 6101, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Auditing session failed."),
394. (22000, 6102, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Auditing session succeeded."),
395. (22000, 6103, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Login session succeeded."),
396. (22000, 6104, 15, 173, NULL, 1, 1, "Wazuh - Solaris: Login session failed."),
397. (22000, 6105, 15, 173, NULL, 1, 1, "Wazuh - Solaris: User successfully changed UID."),
398. (22000, 6106, 15, 173, NULL, 1, 1, "Wazuh - Solaris: User failed to change UID (user id)."),
399. (22000, 6200, 15, 173, NULL, 1, 1, "Wazuh - Asterisk messages grouped."),
400. (22000, 6201, 15, 173, NULL, 1, 1, "Wazuh - Asterisk notice messages grouped."),
401. (22000, 6202, 15, 173, NULL, 1, 1, "Wazuh - Asterisk warning message."),
402. (22000, 6203, 15, 173, NULL, 1, 1, "Wazuh - Asterisk error message."),
403. (22000, 6210, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed."),
404. (22000, 6211, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid user)."),
405. (22000, 6212, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid extension)."),
406. (22000, 6250, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins (user enumeration in process)."),
407. (22000, 6251, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins."),
408. (22000, 6252, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Extension enumeration."),
409. (22000, 6253, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Login session failed (invalid iax user)."),
410. (22000, 6254, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Extension IAX Enumeration."),
411. (22000, 6255, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Possible Registration Hijacking."),
412. (22000, 6256, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: IAX peer Wrong Password."),
413. (22000, 6257, 15, 173, NULL, 1, 1, "Wazuh - Asterisk: Multiple failed logins."),
414. (22000, 6300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the MS-DHCP ipv4 rules."),
415. (22000, 6301, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was started."),
416. (22000, 6302, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was stopped."),
417. (22000, 6303, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: The log was temporarily paused due to low disk space."),
418. (22000, 6304, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A new IP address was leased to a client."),
419. (22000, 6305, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was renewed by a client."),
420. (22000, 6306, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was released by a client."),
421. (22000, 6307, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: An IP address was found to be in use on the network."),
422. (22000, 6308, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease request could not be satisfied because the scope's address pool was exhausted."),
423. (22000, 6309, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was denied."),
424. (22000, 6310, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was deleted."),
425. (22000, 6311, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was expired and DNS records for an expired leases have not been deleted."),
426. (22000, 6322, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A lease was expired and DNS records were deleted."),
427. (22000, 6312, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP address was leased to a client."),
428. (22000, 6313, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A dynamic BOOTP address was leased to a client."),
429. (22000, 6314, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted."),
430. (22000, 6315, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: A BOOTP IP address was deleted after checking to see it was not in use."),
431. (22000, 6316, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: IP address cleanup operation has began."),
432. (22000, 6317, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: IP address cleanup statistics."),
433. (22000, 6318, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update request to the named DNS server."),
434. (22000, 6319, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update failed."),
435. (22000, 6320, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS update successful."),
436. (22000, 6323, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Packet dropped due to NAP policy."),
437. (22000, 6321, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Codes above 50 are used for Rogue Server Detection information."),
438. (22000, 6350, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the MS-DHCP ipv6 rules."),
439. (22000, 6351, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Solicit."),
440. (22000, 6352, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Advertise."),
441. (22000, 6354, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Confirm."),
442. (22000, 6355, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Renew."),
443. (22000, 6356, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Rebind."),
444. (22000, 6357, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DHCP Decline."),
445. (22000, 6358, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Release."),
446. (22000, 6359, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Information Request."),
447. (22000, 6360, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Scope Full."),
448. (22000, 6361, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Started."),
449. (22000, 6362, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Stopped."),
450. (22000, 6363, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Audit log paused."),
451. (22000, 6364, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DHCP Log File."),
452. (22000, 6365, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Bad Address."),
453. (22000, 6366, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Address is already in use."),
454. (22000, 6367, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Client deleted."),
455. (22000, 6368, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: DNS record not deleted."),
456. (22000, 6369, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Expired."),
457. (22000, 6370, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Expired and Deleted count."),
458. (22000, 6371, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Database cleanup begin."),
459. (22000, 6372, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Database cleanup end."),
460. (22000, 6373, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service not authorized in AD."),
461. (22000, 6374, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service authorized in AD."),
462. (22000, 6376, 15, 173, NULL, 1, 1, "Wazuh - MS-DHCP: Service has not determined if it is authorized in AD."),
463. (22000, 7200, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch messages grouped."),
464. (22000, 7201, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch new host detected."),
465. (22000, 7202, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: flip flop message. IP address/MAC relation changing too often."),
466. (22000, 7203, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: exiting."),
467. (22000, 7204, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: Changed network interface for ip address."),
468. (22000, 7205, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: startup/exiting messages."),
469. (22000, 7206, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: detected bad address len (ignored)."),
470. (22000, 7207, 15, 173, NULL, 1, 1, "Wazuh - arpwatch probably run with wrong permissions"),
471. (22000, 7208, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: An IP has reverted to an old ethernet address."),
472. (22000, 7209, 15, 173, NULL, 1, 1, "Wazuh - Arpwatch: Possible arpspoofing attempt."),
473. (22000, 7300, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec AV rules."),
474. (22000, 7301, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec AV rules from eventlog."),
475. (22000, 7310, 15, 173, NULL, 1, 1, "Wazuh - Symantec-AV: Virus detected."),
476. (22000, 7320, 15, 173, NULL, 1, 1, "Wazuh - Symantec-AV: Virus scan updated,started or stopped."),
477. (22000, 7400, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Symantec Web Security rules."),
478. (22000, 7410, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Login failed accessing the web proxy."),
479. (22000, 7415, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Login success accessing the web proxy."),
480. (22000, 7420, 15, 173, NULL, 1, 1, "Wazuh - Symantec-WS: Admin Login success to the web proxy."),
481. (22000, 7600, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Trend OSCE rules."),
482. (22000, 7610, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus detected and cleaned/quarantined/remved"),
483. (22000, 7611, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus detected and unable to clean up."),
484. (22000, 7612, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus scan completed with no errors detected."),
485. (22000, 7613, 15, 173, NULL, 1, 1, "Wazuh - Trend: Virus scan passed by found potential security risk."),
486. (22000, 9300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Horde imp rules."),
487. (22000, 9301, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP informational message."),
488. (22000, 9302, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP notice message."),
489. (22000, 9303, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP error message."),
490. (22000, 9304, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP emergency message."),
491. (22000, 9305, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP successful login."),
492. (22000, 9306, 15, 173, NULL, 1, 1, "Wazuh - Horde IMP Failed login."),
493. (22000, 9351, 15, 173, NULL, 1, 1, "Wazuh - Horde brute force (multiple failed logins)."),
494. (22000, 9352, 15, 173, NULL, 1, 1, "Wazuh - Multiple Horde emergency messages."),
495. (22000, 9400, 15, 173, NULL, 1, 1, "Wazuh - Roundcube messages groupe.d"),
496. (22000, 9401, 15, 173, NULL, 1, 1, "Wazuh - Roundcube authentication failed."),
497. (22000, 9402, 15, 173, NULL, 1, 1, "Wazuh - Roundcube authentication succeeded."),
498. (22000, 9500, 15, 173, NULL, 1, 1, "Wazuh - Wordpress messages grouped."),
499. (22000, 9501, 15, 173, NULL, 1, 1, "Wazuh - Wordpress authentication failed."),
500. (22000, 9502, 15, 173, NULL, 1, 1, "Wazuh - Wordpress authentication succeeded."),
501. (22000, 9503, 15, 173, NULL, 1, 1, "Wazuh - WPsyslog was successfully initialized."),
502. (22000, 9504, 15, 173, NULL, 1, 1, "Wazuh - Wordpress plugin deactivated."),
503. (22000, 9505, 15, 173, NULL, 1, 1, "Wazuh - Wordpress Comment Flood Attempt."),
504. (22000, 9510, 15, 173, NULL, 1, 1, "Wazuh - Attack against Wordpress detected."),
505. (22000, 9551, 15, 173, NULL, 1, 1, "Wazuh - Multiple wordpress authentication failures."),
506. (22000, 9600, 15, 173, NULL, 1, 1, "Wazuh - cimserver messages grouped."),
507. (22000, 9610, 15, 173, NULL, 1, 1, "Wazuh - cimserver: Compaq Insight Manager authentication failure."),
508. (22000, 9611, 15, 173, NULL, 1, 1, "Wazuh - cimserver: Compaq Insight Manager stopped."),
509. (22000, 9700, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Messages Grouped."),
510. (22000, 9701, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Authentication Success."),
511. (22000, 9702, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Authentication Failed."),
512. (22000, 9703, 15, 173, NULL, 1, 1, "Wazuh - Dovecot is Starting Up."),
513. (22000, 9704, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Fatal Failure."),
514. (22000, 9705, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Invalid User Login Attempt."),
515. (22000, 9706, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Session Disconnected."),
516. (22000, 9707, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Aborted Login."),
517. (22000, 9750, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Multiple Authentication Failures."),
518. (22000, 9751, 15, 173, NULL, 1, 1, "Wazuh - Dovecot brute force attack (multiple auth failures)."),
519. (22000, 9770, 15, 173, NULL, 1, 1, "Wazuh - dovecot-info grouping."),
520. (22000, 9771, 15, 173, NULL, 1, 1, "Wazuh - Dovecot Invalid User Login Attempt."),
521. (22000, 9800, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vm-pop3d rules."),
522. (22000, 9801, 15, 173, NULL, 1, 1, "Wazuh - vm-pop3d: Login failed accessing the pop3 server."),
523. (22000, 9820, 15, 173, NULL, 1, 1, "Wazuh - vm-pop3d: POP3 brute force (multiple failed logins)."),
524. (22000, 9900, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vpopmail rules."),
525. (22000, 9901, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Login failed."),
526. (22000, 9902, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Attempt to login to vpopmail with invalid username."),
527. (22000, 9903, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: Attempt to login to vpopmail with empty password."),
528. (22000, 9904, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: successful login."),
529. (22000, 9951, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (multiple failed logins)."),
530. (22000, 9952, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (email harvesting)."),
531. (22000, 9953, 15, 173, NULL, 1, 1, "Wazuh - vpopmail: brute force (empty password)."),
532. (22000, 11100, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the ftpd rules."),
533. (22000, 11101, 15, 173, NULL, 1, 1, "Wazuh - FTPD: connection refused."),
534. (22000, 11102, 15, 173, NULL, 1, 1, "Wazuh - FTPD: File created via FTP"),
535. (22000, 11103, 15, 173, NULL, 1, 1, "Wazuh - FTPD: File deleted via FTP"),
536. (22000, 11104, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User uploaded a file to server."),
537. (22000, 11105, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User downloaded a file to server."),
538. (22000, 11106, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Remote host connected to FTP server.,"),
539. (22000, 11107, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Connection blocked by Tcp Wrappers."),
540. (22000, 11108, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Reverse lookup error (bad ISP config)."),
541. (22000, 11109, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Multiple FTP failed login attempts."),
542. (22000, 11110, 15, 173, NULL, 1, 1, "Wazuh - FTPD: User disconnected due to time out."),
543. (22000, 11111, 15, 173, NULL, 1, 1, "Wazuh - FTPD: Attempt to login with disabled account."),
544. (22000, 11112, 15, 173, NULL, 1, 1, "Wazuh - FTPD: authentication failure."),
545. (22000, 11113, 15, 173, NULL, 1, 1, "Wazuh - FTPD: authentication failure."),
546. (22000, 11200, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the proftpd rules."),
547. (22000, 11201, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP session opened."),
548. (22000, 11202, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP session closed."),
549. (22000, 11203, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Attempt to login using a non-existent user."),
550. (22000, 11204, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Login failed accessing the FTP server"),
551. (22000, 11205, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP Authentication success."),
552. (22000, 11206, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Connection denied by ProFTPD configuration."),
553. (22000, 11207, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Connection refused by TCP Wrappers."),
554. (22000, 11208, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Small PassivePorts range in config file. Server misconfiguration."),
555. (22000, 11209, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Attempt to bypass firewall that can't adequately keep state of FTP traffic."),
556. (22000, 11210, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple failed login attempts."),
557. (22000, 11211, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Mismatch in server's hostname."),
558. (22000, 11212, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Reverse lookup error (bad ISP config)."),
559. (22000, 11213, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host connected to FTP server."),
560. (22000, 11214, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to inactivity."),
561. (22000, 11215, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to login time out."),
562. (22000, 11216, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Remote host disconnected due to time out."),
563. (22000, 11217, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Data transfer stalled."),
564. (22000, 11218, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP process crashed."),
565. (22000, 11219, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP server Buffer overflow attempt."),
566. (22000, 11220, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Unable to bind to adress."),
567. (22000, 11221, 15, 173, NULL, 1, 1, "Wazuh - proftpd: IPv6 error and mod-delay info (ignored)."),
568. (22000, 11222, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Couldn't open the incoming connection. Check log message for reason."),
569. (22000, 11251, 15, 173, NULL, 1, 1, "Wazuh - proftpd: FTP brute force (multiple failed logins)."),
570. (22000, 11252, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple connection attempts from same source."),
571. (22000, 11253, 15, 173, NULL, 1, 1, "Wazuh - proftpd: Multiple timed out logins from same source."),
572. (22000, 11300, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the pure-ftpd rules."),
573. (22000, 11301, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: New FTP connection."),
574. (22000, 11302, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP Authentication failed."),
575. (22000, 11303, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP user logout/timeout"),
576. (22000, 11304, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP notice messages"),
577. (22000, 11305, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: Attempt to access invalid directory"),
578. (22000, 11306, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP brute force (multiple failed logins)."),
579. (22000, 11307, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: Multiple connection attempts from same source."),
580. (22000, 11309, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: FTP Authentication success."),
581. (22000, 11310, 15, 173, NULL, 1, 1, "Wazuh - Rule grouping for pure ftpd transfers."),
582. (22000, 11311, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: File added to ftpd."),
583. (22000, 11312, 15, 173, NULL, 1, 1, "Wazuh - pure-ftpd: File retrieved from ftpd."),
584. (22000, 11400, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the vsftpd rules."),
585. (22000, 11401, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP session opened."),
586. (22000, 11402, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP Authentication success."),
587. (22000, 11403, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: Login failed accessing the FTP server."),
588. (22000, 11404, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP server file upload."),
589. (22000, 11451, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: FTP brute force (multiple failed logins)."),
590. (22000, 11452, 15, 173, NULL, 1, 1, "Wazuh - vsftpd: Multiple FTP connection attempts from same source IP."),
591. (22000, 11500, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the Microsoft ftp rules."),
592. (22000, 11501, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: New FTP connection."),
593. (22000, 11502, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP Authentication failed."),
594. (22000, 11503, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP Authentication success."),
595. (22000, 11504, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP client request failed."),
596. (22000, 11510, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: FTP brute force (multiple failed logins)."),
597. (22000, 11511, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: Multiple connection attempts from same source."),
598. (22000, 11512, 15, 173, NULL, 1, 1, "Wazuh - MS-FTP: Multiple FTP errors from same source."),
599. (22000, 12100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of the named rules"),
600. (22000, 12101, 15, 173, NULL, 1, 1, "Wazuh - Invalid DNS packet. Possibility of attack."),
601. (22000, 12102, 15, 173, NULL, 1, 1, "Wazuh - Failed attempt to perform a zone transfer."),
602. (22000, 12103, 15, 173, NULL, 1, 1, "Wazuh - DNS update denied. Generally mis-configuration."),
603. (22000, 12104, 15, 173, NULL, 1, 1, "Wazuh - Log permission misconfiguration in Named."),
604. (22000, 12105, 15, 173, NULL, 1, 1, "Wazuh - Unexpected error while resolving domain."),
605. (22000, 12106, 15, 173, NULL, 1, 1, "Wazuh - DNS configuration error."),
606. (22000, 12107, 15, 173, NULL, 1, 1, "Wazuh - DNS update using RFC2136 Dynamic protocol."),
607. (22000, 12108, 15, 173, NULL, 1, 1, "Wazuh - Query cache denied (probably config error)."),
608. (22000, 12109, 15, 173, NULL, 1, 1, "Wazuh - Named fatal error. DNS service going down."),
609. (22000, 12110, 15, 173, NULL, 1, 1, "Wazuh - Serial number from master is lower than stored."),
610. (22000, 12111, 15, 173, NULL, 1, 1, "Wazuh - Unable to perform zone transfer."),
611. (22000, 12112, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer error."),
612. (22000, 12113, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer deferred."),
613. (22000, 12114, 15, 173, NULL, 1, 1, "Wazuh - Hostname contains characters that check-names does not like."),
614. (22000, 12115, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer."),
615. (22000, 12116, 15, 173, NULL, 1, 1, "Wazuh - Syntax error in a named configuration file."),
616. (22000, 12117, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer rety limit exceeded"),
617. (22000, 12118, 15, 173, NULL, 1, 1, "Wazuh - Zone has been duplicated."),
618. (22000, 12119, 15, 173, NULL, 1, 1, "Wazuh - BIND has been started"),
619. (22000, 12120, 15, 173, NULL, 1, 1, "Wazuh - Missing A or AAAA record"),
620. (22000, 12121, 15, 173, NULL, 1, 1, "Wazuh - Zone has been removed from a master server"),
621. (22000, 12122, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
622. (22000, 12123, 15, 173, NULL, 1, 1, "Wazuh - Zone has been duplicated"),
623. (22000, 12125, 15, 173, NULL, 1, 1, "Wazuh - BIND Configuration error."),
624. (22000, 12126, 15, 173, NULL, 1, 1, "Wazuh - Zone has been removed from a master server"),
625. (22000, 12127, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
626. (22000, 12128, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer."),
627. (22000, 12129, 15, 173, NULL, 1, 1, "Wazuh - Zone transfer failed, unable to connect to master."),
628. (22000, 12130, 15, 173, NULL, 1, 1, "Wazuh - Could not listen on IPv6 interface."),
629. (22000, 12131, 15, 173, NULL, 1, 1, "Wazuh - Could not bind to an interface."),
630. (22000, 12132, 15, 173, NULL, 1, 1, "Wazuh - Master is not authoritative for zone."),
631. (22000, 12133, 15, 173, NULL, 1, 1, "Wazuh - Could not open configuration file, permission denied."),
632. (22000, 12134, 15, 173, NULL, 1, 1, "Wazuh - Could not open configuration file, permission denied."),
633. (22000, 12135, 15, 173, NULL, 1, 1, "Wazuh - Domain in SOA -E."),
634. (22000, 12136, 15, 173, NULL, 1, 1, "Wazuh - Master appears to be down."),
635. (22000, 12137, 15, 173, NULL, 1, 1, "Wazuh - Domain is queried for a zone transferred."),
636. (22000, 12138, 15, 173, NULL, 1, 1, "Wazuh - Domain A record found."),
637. (22000, 12139, 15, 173, NULL, 1, 1, "Wazuh - Bad zone transfer request."),
638. (22000, 12140, 15, 173, NULL, 1, 1, "Wazuh - Cannot refresh a domain from the master server."),
639. (22000, 12141, 15, 173, NULL, 1, 1, "Wazuh - Origin of zone and owner name of SOA do not match."),
640. (22000, 12142, 15, 173, NULL, 1, 1, "Wazuh - named command channel is listening."),
641. (22000, 12143, 15, 173, NULL, 1, 1, "Wazuh - named has created an automatic empty zone."),
642. (22000, 12144, 15, 173, NULL, 1, 1, "Wazuh - Server does not have enough memory to reload the configuration."),
643. (22000, 12145, 15, 173, NULL, 1, 1, "Wazuh - zone transfer denied"),
644. (22000, 12146, 15, 173, NULL, 1, 1, "Wazuh - Cannot send a DNS response."),
645. (22000, 12147, 15, 173, NULL, 1, 1, "Wazuh - Cannot update forwarding domain."),
646. (22000, 12148, 15, 173, NULL, 1, 1, "Wazuh - Parsing of a configuration file has failed."),
647. (22000, 13100, 15, 173, NULL, 1, 1, "Wazuh - Grouping for the smbd rules."),
648. (22000, 13101, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems."),
649. (22000, 13102, 15, 173, NULL, 1, 1, "Wazuh - Samba connection denied."),
650. (22000, 13103, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems."),
651. (22000, 13104, 15, 173, NULL, 1, 1, "Wazuh - Samba: User action denied by configuration."),
652. (22000, 13105, 15, 173, NULL, 1, 1, "Wazuh - Samba network problems (unable to connect)."),
653. (22000, 13106, 15, 173, NULL, 1, 1, "Wazuh - "),
654. (22000, 13108, 15, 173, NULL, 1, 1, "Wazuh - Samba: An attempt has been made to start smbd but the process is already running."),
655. (22000, 13109, 15, 173, NULL, 1, 1, "Wazuh - Samba: An attempt has been made to start nmbd but the process is already running."),
656. (22000, 13110, 15, 173, NULL, 1, 1, "Wazuh - Samba: Connection was denied."),
657. (22000, 13111, 15, 173, NULL, 1, 1, "Wazuh - Samba: Socket is not connected, write failed."),
658. (22000, 13112, 15, 173, NULL, 1, 1, "Wazuh - Samba: Segfault in gvfs-smb."),
659. (22000, 14100, 15, 173, NULL, 1, 1, "Wazuh - Grouping of racoon rules."),
660. (22000, 14101, 15, 173, NULL, 1, 1, "Wazuh - racoon: VPN authentication failed."),
661. (22000, 14110, 15, 173, NULL, 1, 1, "Wazuh - Racoon informational message."),
662. (22000, 14111, 15, 173, NULL, 1, 1, "Wazuh - Racoon error message."),
663. (22000, 14112, 15, 173, NULL, 1, 1, "Wazuh - Racoon warning message."),
664. (22000, 14120, 15, 173, NULL, 1, 1, "Wazuh - racoon: VPN established."),
665. (22000, 14121, 15, 173, NULL, 1, 1, "Wazuh - racoon: Roadwarrior configuration (ignored error)."),
666. (22000, 14122, 15, 173, NULL, 1, 1, "Wazuh - racoon: Roadwarrior configuration (ignored warning)."),
667. (22000, 14123, 15, 173, NULL, 1, 1, "Wazuh - racoon: Invalid configuration settings (ignored error)."),
668. (22000, 14151, 15, 173, NULL, 1, 1, "Wazuh - racoon: Multiple failed VPN logins."),
669. (22000, 14200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Cisco VPN concentrator rules"),
670. (22000, 14201, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN authentication successful."),
671. (22000, 14202, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN authentication failed."),
672. (22000, 14203, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: VPN Admin authentication successful."),
673. (22000, 14251, 15, 173, NULL, 1, 1, "Wazuh - CiscoVPN: Multiple VPN authentication failures."),
674. (22000, 18100, 15, 173, NULL, 1, 1, "Wazuh - Group of windows rules."),
675. (22000, 18101, 15, 173, NULL, 1, 1, "Wazuh - Windows informational event."),
676. (22000, 18102, 15, 173, NULL, 1, 1, "Wazuh - Windows warning event."),
677. (22000, 18103, 15, 173, NULL, 1, 1, "Wazuh - Windows error event."),
678. (22000, 18104, 15, 173, NULL, 1, 1, "Wazuh - Windows audit success event."),
679. (22000, 18105, 15, 173, NULL, 1, 1, "Wazuh - Windows audit failure event."),
680. (22000, 18106, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Failure."),
681. (22000, 18107, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Success."),
682. (22000, 18108, 15, 173, NULL, 1, 1, "Wazuh - Windows: Failed attempt to perform a privileged operation."),
683. (22000, 18109, 15, 173, NULL, 1, 1, "Wazuh - Windows: Session reconnected/disconnected to winstation."),
684. (22000, 18110, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account enabled or created."),
685. (22000, 18111, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account changed."),
686. (22000, 18112, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account disabled or deleted."),
687. (22000, 18113, 15, 173, NULL, 1, 1, "Wazuh - Windows Audit Policy changed."),
688. (22000, 18114, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Changed"),
689. (22000, 18115, 15, 173, NULL, 1, 1, "Wazuh - Windows: General account database changed."),
690. (22000, 18116, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account locked out (multiple login errors)."),
691. (22000, 18117, 15, 173, NULL, 1, 1, "Wazuh - Windows is shutting down."),
692. (22000, 18118, 15, 173, NULL, 1, 1, "Wazuh - Windows audit log was cleared."),
693. (22000, 18119, 15, 173, NULL, 1, 1, "Wazuh - Windows: First time this user logged in this system."),
694. (22000, 18120, 15, 173, NULL, 1, 1, "Wazuh - Windows login attempt (ignored). Duplicated."),
695. (22000, 18125, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote access login failure."),
696. (22000, 18126, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote access login success."),
697. (22000, 18127, 15, 173, NULL, 1, 1, "Wazuh - Windows: Computer account added/changed/deleted."),
698. (22000, 18128, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group account added/changed/deleted."),
699. (22000, 18129, 15, 173, NULL, 1, 1, "Wazuh - Windows file system full."),
700. (22000, 18130, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Unknown user or bad password."),
701. (22000, 18131, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account logon time restriction violation."),
702. (22000, 18132, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account currently disabled."),
703. (22000, 18133, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Specified account expired."),
704. (22000, 18134, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - User not allowed to login at this computer."),
705. (22000, 18135, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - User not granted logon type."),
706. (22000, 18136, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account's password expired."),
707. (22000, 18137, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Internal error."),
708. (22000, 18138, 15, 173, NULL, 1, 1, "Wazuh - Windows: Logon Failure - Account locked out."),
709. (22000, 18139, 15, 173, NULL, 1, 1, "Wazuh - Windows DC Logon Failure."),
710. (22000, 18140, 15, 173, NULL, 1, 1, "Wazuh - Windows: System time changed."),
711. (22000, 18141, 15, 173, NULL, 1, 1, "Wazuh - Unexpected Windows shutdown."),
712. (22000, 18142, 15, 173, NULL, 1, 1, "Wazuh - Windows: User account unlocked."),
713. (22000, 18143, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security enabled group created."),
714. (22000, 18144, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security enabled group deleted."),
715. (22000, 18145, 15, 173, NULL, 1, 1, "Wazuh - Windows: Service startup type was changed."),
716. (22000, 18146, 15, 173, NULL, 1, 1, "Wazuh - Windows: Application Uninstalled."),
717. (22000, 18147, 15, 173, NULL, 1, 1, "Wazuh - Windows: Application Installed."),
718. (22000, 18148, 15, 173, NULL, 1, 1, "Wazuh - Windows is starting up."),
719. (22000, 18149, 15, 173, NULL, 1, 1, "Wazuh - Windows User Logoff."),
720. (22000, 18200, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Created"),
721. (22000, 18201, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Account Deleted"),
722. (22000, 18202, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Created"),
723. (22000, 18203, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Member Added"),
724. (22000, 18204, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Member Removed"),
725. (22000, 18205, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Deleted"),
726. (22000, 18206, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Created"),
727. (22000, 18207, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Member Added"),
728. (22000, 18208, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Member Removed"),
729. (22000, 18209, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Deleted"),
730. (22000, 18210, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Local Group Changed"),
731. (22000, 18211, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Global Group Changed"),
732. (22000, 18212, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Created"),
733. (22000, 18213, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Changed"),
734. (22000, 18214, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Member Added"),
735. (22000, 18215, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Member Removed"),
736. (22000, 18216, 15, 173, NULL, 1, 1, "Wazuh - Windows: Security Enabled Universal Group Deleted"),
737. (22000, 18217, 15, 173, NULL, 1, 1, "Wazuh - Windows: Administrators Group Changed"),
738. (22000, 18218, 15, 173, NULL, 1, 1, "Wazuh - Windows: Everyone Group Changed"),
739. (22000, 18219, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Domain Controllers Group Changed"),
740. (22000, 18220, 15, 173, NULL, 1, 1, "Wazuh - Windows: Authenticated Users Group Changed"),
741. (22000, 18221, 15, 173, NULL, 1, 1, "Wazuh - Windows: Terminal Server Users Group Changed"),
742. (22000, 18222, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Admins Group Changed"),
743. (22000, 18223, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Users Group Changed"),
744. (22000, 18224, 15, 173, NULL, 1, 1, "Wazuh - Windows: Local User Group NONE"),
745. (22000, 18225, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Guests Group Changed"),
746. (22000, 18226, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Computers Group Changed"),
747. (22000, 18227, 15, 173, NULL, 1, 1, "Wazuh - Windows: Domain Controllers Group Changed"),
748. (22000, 18228, 15, 173, NULL, 1, 1, "Wazuh - Windows: Cert Publishers Group Changed"),
749. (22000, 18229, 15, 173, NULL, 1, 1, "Wazuh - Windows: Schema Admins Group Changed"),
750. (22000, 18230, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Admins Group Changed"),
751. (22000, 18231, 15, 173, NULL, 1, 1, "Wazuh - Windows: Group Policy Creator Owners Group Changed"),
752. (22000, 18232, 15, 173, NULL, 1, 1, "Wazuh - Windows: RAS and IAS Servers Group Changed"),
753. (22000, 18233, 15, 173, NULL, 1, 1, "Wazuh - Windows: Users Group Changed"),
754. (22000, 18234, 15, 173, NULL, 1, 1, "Wazuh - Windows: Guests Group Changed"),
755. (22000, 18235, 15, 173, NULL, 1, 1, "Wazuh - Windows: Power Users Group Changed"),
756. (22000, 18236, 15, 173, NULL, 1, 1, "Wazuh - Windows: Account Operators Group Changed"),
757. (22000, 18237, 15, 173, NULL, 1, 1, "Wazuh - Windows: Server Operators Group Changed"),
758. (22000, 18238, 15, 173, NULL, 1, 1, "Wazuh - Windows: Print Operators Group Changed"),
759. (22000, 18239, 15, 173, NULL, 1, 1, "Wazuh - Windows: Backup Operators Group Changed"),
760. (22000, 18240, 15, 173, NULL, 1, 1, "Wazuh - Windows: Replicators Group Changed"),
761. (22000, 18241, 15, 173, NULL, 1, 1, "Wazuh - Pre-Windows 2000 Compatible Access Group Changed"),
762. (22000, 18242, 15, 173, NULL, 1, 1, "Wazuh - Windows: Remote Desktop Users Group Changed"),
763. (22000, 18243, 15, 173, NULL, 1, 1, "Wazuh - Windows: Network Configuration Operators Group Changed"),
764. (22000, 18244, 15, 173, NULL, 1, 1, "Wazuh - Windows: Incoming Forest Trust Builders Group Changed"),
765. (22000, 18245, 15, 173, NULL, 1, 1, "Wazuh - Windows: Performance Monitor Users Group Changed"),
766. (22000, 18246, 15, 173, NULL, 1, 1, "Wazuh - Windows: Performance Log Users Group Changed"),
767. (22000, 18247, 15, 173, NULL, 1, 1, "Wazuh - Windows Authorization Access Group Changed"),
768. (22000, 18248, 15, 173, NULL, 1, 1, "Wazuh - Windows: Terminal Server License Servers Group Changed"),
769. (22000, 18249, 15, 173, NULL, 1, 1, "Wazuh - Windows: Distributed COM Users Group Changed"),
770. (22000, 18250, 15, 173, NULL, 1, 1, "Wazuh - Windows: Enterprise Read-only Domain Controllers Group Changed"),
771. (22000, 18251, 15, 173, NULL, 1, 1, "Wazuh - Windows: Read-only Domain Controllers Group Changed"),
772. (22000, 18252, 15, 173, NULL, 1, 1, "Wazuh - Windows: Cryptographic Operators Group Changed"),
773. (22000, 18253, 15, 173, NULL, 1, 1, "Wazuh - Windows: Allowed RODC Password Replication Group Changed"),
774. (22000, 18254, 15, 173, NULL, 1, 1, "Wazuh - Windows: Denied RODC Password Replication Group Changed"),
775. (22000, 18255, 15, 173, NULL, 1, 1, "Wazuh - Windows: Event Log Readers Group Changed"),
776. (22000, 18256, 15, 173, NULL, 1, 1, "Wazuh - Windows: Certificate Service DCOM Access Group Changed"),
777. (22000, 18257, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway login success."),
778. (22000, 18270, 15, 173, NULL, 1, 1, "Wazuh - Ignore rule 18257: TS Gateway login success"),
779. (22000, 18258, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway login failure."),
780. (22000, 18259, 15, 173, NULL, 1, 1, "Wazuh - Windows: TS Gateway user disconnected."),
781. (22000, 18121, 15, 173, NULL, 1, 1, "Wazuh - Windows Logon Success (ignored)."),
782. (22000, 18170, 15, 173, NULL, 1, 1, "Wazuh - Windows DC integrity check on decrypted field failed."),
783. (22000, 18171, 15, 173, NULL, 1, 1, "Wazuh - Windows DC - Possible replay attack."),
784. (22000, 18172, 15, 173, NULL, 1, 1, "Wazuh - Windows DC - Clock skew too great."),
785. (22000, 18180, 15, 173, NULL, 1, 1, "Wazuh - MS SQL Server Logon Failure."),
786. (22000, 18181, 15, 173, NULL, 1, 1, "Wazuh - MS SQL Server Logon Success."),
787. (22000, 18260, 15, 173, NULL, 1, 1, "Wazuh - MS Exchange Logon Success."),
788. (22000, 18261, 15, 173, NULL, 1, 1, "Wazuh - MS Exchange User Logoff."),
789. (22000, 18151, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple failed attempts to perform a privileged operation by the same user."),
790. (22000, 18152, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows Logon Failures."),
791. (22000, 18153, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows audit failure events."),
792. (22000, 18154, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows error events."),
793. (22000, 18155, 15, 173, NULL, 1, 1, "Wazuh - Multiple Windows warning events."),
794. (22000, 18156, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple remote access login failures."),
795. (22000, 18157, 15, 173, NULL, 1, 1, "Wazuh - Windows: Multiple TS Gateway login failures."),
796. (22000, 18158, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - access denied"),
797. (22000, 18159, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - connected"),
798. (22000, 18160, 15, 173, NULL, 1, 1, "Wazuh - Chrome Remote Desktop attempt - disconnected"),
799. (22000, 7500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of McAfee Windows AV rules."),
800. (22000, 7501, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV informational event."),
801. (22000, 7502, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV warning event."),
802. (22000, 7503, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV error event."),
803. (22000, 7504, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and not removed."),
804. (22000, 7505, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and properly removed."),
805. (22000, 7506, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus detected and file will be deleted."),
806. (22000, 7507, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Scan started or stopped."),
807. (22000, 7508, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Scan completed with no viruses found."),
808. (22000, 7509, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus scan cancelled."),
809. (22000, 7510, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus scan cancelled due to shutdown."),
810. (22000, 7511, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update succeeded."),
811. (22000, 7512, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update failed."),
812. (22000, 7513, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - Virus program or DAT update cancelled."),
813. (22000, 7514, 15, 173, NULL, 1, 1, "Wazuh - McAfee Windows AV - EICAR test file detected."),
814. (22000, 7550, 15, 173, NULL, 1, 1, "Wazuh - Multiple McAfee AV warning events."),
815. (22000, 7701, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Microsoft Security Essentials rules."),
816. (22000, 7710, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected, but unable to remove."),
817. (22000, 7711, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected and properly removed."),
818. (22000, 7712, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Virus detected."),
819. (22000, 7713, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Suspicious activity detected."),
820. (22000, 7720, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Configuration changed."),
821. (22000, 7721, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Service failed."),
822. (22000, 7722, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Real time protection failed."),
823. (22000, 7723, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Cannot use Dynamic Signature Service."),
824. (22000, 7724, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Loading definitions failed. Using last good set."),
825. (22000, 7725, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Engine update failed."),
826. (22000, 7726, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Definitions update failed."),
827. (22000, 7727, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan error. Scan has stopped."),
828. (22000, 7728, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - Scan stopped before completion."),
829. (22000, 7731, 15, 173, NULL, 1, 1, "Wazuh - Microsoft Security Essentials - EICAR test file detected."),
830. (22000, 7750, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Security Essentials AV warnings detected."),
831. (22000, 7751, 15, 173, NULL, 1, 1, "Wazuh - Multiple Microsoft Security Essentials AV warnings detected."),
832. (22000, 19100, 15, 173, NULL, 1, 1, "Wazuh - VMWare messages grouped."),
833. (22000, 19101, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX syslog messages grouped."),
834. (22000, 19102, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX critical message."),
835. (22000, 19103, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX error message."),
836. (22000, 19104, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX warning message."),
837. (22000, 19105, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX notice message."),
838. (22000, 19106, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX informational message."),
839. (22000, 19107, 15, 173, NULL, 1, 1, "Wazuh - VMware ESX verbose message."),
840. (22000, 19110, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX authentication success."),
841. (22000, 19111, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX authentication failure."),
842. (22000, 19112, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX user login."),
843. (22000, 19113, 15, 173, NULL, 1, 1, "Wazuh - VMWare ESX user authentication failure."),
844. (22000, 19120, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine state changed to OFF."),
845. (22000, 19121, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine being turned ON."),
846. (22000, 19122, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine state changed to ON."),
847. (22000, 19123, 15, 173, NULL, 1, 1, "Wazuh - Virtual machine being reconfigured."),
848. (22000, 19150, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX warning messages."),
849. (22000, 19151, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX error messages."),
850. (22000, 19152, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX authentication failures."),
851. (22000, 19153, 15, 173, NULL, 1, 1, "Wazuh - Multiple VMWare ESX user authentication failures."),
852. (22000, 20100, 15, 173, NULL, 1, 1, "Wazuh - First time this IDS alert is generated."),
853. (22000, 20101, 15, 173, NULL, 1, 1, "Wazuh - IDS event."),
854. (22000, 20102, 15, 173, NULL, 1, 1, "Wazuh - Ignored snort ids."),
855. (22000, 20103, 15, 173, NULL, 1, 1, "Wazuh - Ignored snort ids."),
856. (22000, 20152, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS alerts for same id."),
857. (22000, 20151, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS events from same source ip."),
858. (22000, 20161, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS events from same source ip (ignoring now this srcip and id)."),
859. (22000, 20162, 15, 173, NULL, 1, 1, "Wazuh - Multiple IDS alerts for same id (ignoring now this id)."),
860. (22000, 31100, 15, 173, NULL, 1, 1, "Wazuh - Access log messages grouped."),
861. (22000, 31108, 15, 173, NULL, 1, 1, "Wazuh - Ignored URLs (simple queries)."),
862. (22000, 31101, 15, 173, NULL, 1, 1, "Wazuh - Web server 400 error code."),
863. (22000, 31102, 15, 173, NULL, 1, 1, "Wazuh - Ignored extensions on 400 error codes."),
864. (22000, 31103, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
865. (22000, 31104, 15, 173, NULL, 1, 1, "Wazuh - Common web attack."),
866. (22000, 31105, 15, 173, NULL, 1, 1, "Wazuh - XSS (Cross Site Scripting) attempt."),
867. (22000, 31106, 15, 173, NULL, 1, 1, "Wazuh - A web attack returned code 200 (success)."),
868. (22000, 31110, 15, 173, NULL, 1, 1, "Wazuh - PHP CGI-bin vulnerability attempt."),
869. (22000, 31109, 15, 173, NULL, 1, 1, "Wazuh - MSSQL Injection attempt (/ur.php, urchin.js)"),
870. (22000, 31107, 15, 173, NULL, 1, 1, "Wazuh - Ignored URLs for the web attacks"),
871. (22000, 31115, 15, 173, NULL, 1, 1, "Wazuh - URL too long. Higher than allowed on most browsers. Possible attack."),
872. (22000, 31120, 15, 173, NULL, 1, 1, "Wazuh - Web server 500 error code (server error)."),
873. (22000, 31121, 15, 173, NULL, 1, 1, "Wazuh - Web server 501 error code (Not Implemented)."),
874. (22000, 31122, 15, 173, NULL, 1, 1, "Wazuh - Web server 500 error code (Internal Error)."),
875. (22000, 31123, 15, 173, NULL, 1, 1, "Wazuh - Web server 503 error code (Service unavailable)."),
876. (22000, 31140, 15, 173, NULL, 1, 1, "Wazuh - Ignoring google/msn/yahoo bots."),
877. (22000, 31141, 15, 173, NULL, 1, 1, "Wazuh - Ignored 499's on nginx."),
878. (22000, 31151, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 400 error codes from same source ip."),
879. (22000, 31152, 15, 173, NULL, 1, 1, "Wazuh - Multiple SQL injection attempts from same source ip."),
880. (22000, 31153, 15, 173, NULL, 1, 1, "Wazuh - Multiple common web attacks from same source ip."),
881. (22000, 31154, 15, 173, NULL, 1, 1, "Wazuh - Multiple XSS (Cross Site Scripting) attempts from same source ip."),
882. (22000, 31161, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 501 error code (Not Implemented)."),
883. (22000, 31162, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 500 error code (Internal Error)."),
884. (22000, 31163, 15, 173, NULL, 1, 1, "Wazuh - Multiple web server 503 error code (Service unavailable)."),
885. (22000, 31164, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
886. (22000, 31165, 15, 173, NULL, 1, 1, "Wazuh - SQL injection attempt."),
887. (22000, 31166, 15, 173, NULL, 1, 1, "Wazuh - Shellshock attack detected"),
888. (22000, 30100, 15, 173, NULL, 1, 1, "Wazuh - Apache messages grouped."),
889. (22000, 30101, 15, 173, NULL, 1, 1, "Wazuh - Apache error messages grouped."),
890. (22000, 30102, 15, 173, NULL, 1, 1, "Wazuh - Apache warn messages grouped."),
891. (22000, 30103, 15, 173, NULL, 1, 1, "Wazuh - Apache notice messages grouped."),
892. (22000, 30104, 15, 173, NULL, 1, 1, "Wazuh - Apache: segmentation fault."),
893. (22000, 30105, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden file or directory."),
894. (22000, 30106, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden directory index."),
895. (22000, 30107, 15, 173, NULL, 1, 1, "Wazuh - Apache: Code Red attack."),
896. (22000, 30108, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
897. (22000, 30109, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to login using a non-existent user."),
898. (22000, 30110, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
899. (22000, 30112, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access an non-existent file (those are reported on the access.log)."),
900. (22000, 30115, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI (bad client request)."),
901. (22000, 30116, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple Invalid URI requests from same source."),
902. (22000, 30117, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI, file name too long."),
903. (22000, 30118, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Access attempt blocked."),
904. (22000, 30119, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Multiple attempts blocked."),
905. (22000, 30120, 15, 173, NULL, 1, 1, "Wazuh - Apache: without resources to run."),
906. (22000, 30200, 15, 173, NULL, 1, 1, "Wazuh - Modsecurity alert."),
907. (22000, 30201, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: access denied."),
908. (22000, 30202, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity: Multiple attempts blocked."),
909. (22000, 30301, 15, 173, NULL, 1, 1, "Wazuh - Apache error messages grouped."),
910. (22000, 30302, 15, 173, NULL, 1, 1, "Wazuh - Apache warn messages grouped."),
911. (22000, 30303, 15, 173, NULL, 1, 1, "Wazuh - Apache notice messages grouped."),
912. (22000, 30304, 15, 173, NULL, 1, 1, "Wazuh - Apache: segmentation fault."),
913. (22000, 30305, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden file or directory."),
914. (22000, 30306, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access forbidden directory index."),
915. (22000, 30307, 15, 173, NULL, 1, 1, "Wazuh - Apache: Client sent malformed Host header. Possible Code Red attack."),
916. (22000, 30308, 15, 173, NULL, 1, 1, "Wazuh - Apache: User authentication failed."),
917. (22000, 30309, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to login using a non-existent user."),
918. (22000, 30310, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple authentication failures with invalid user."),
919. (22000, 30312, 15, 173, NULL, 1, 1, "Wazuh - Apache: Attempt to access an non-existent file (those are reported on the access.log)."),
920. (22000, 30315, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI (bad client request)."),
921. (22000, 30316, 15, 173, NULL, 1, 1, "Wazuh - Apache: Multiple Invalid URI requests from same source."),
922. (22000, 30317, 15, 173, NULL, 1, 1, "Wazuh - Apache: Invalid URI, file name too long."),
923. (22000, 30318, 15, 173, NULL, 1, 1, "Wazuh - Apache: PHP Notice in Apache log"),
924. (22000, 30401, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Warning messages grouped"),
925. (22000, 30402, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Access denied messages grouped"),
926. (22000, 30403, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Audit log messages grouped"),
927. (22000, 30411, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity rejected a query"),
928. (22000, 30412, 15, 173, NULL, 1, 1, "Wazuh - Apache: Shellshock attack attempt"),
929. (22000, 31200, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Zeus rules."),
930. (22000, 31201, 15, 173, NULL, 1, 1, "Wazuh - Grouping of Zeus informational logs."),
931. (22000, 31202, 15, 173, NULL, 1, 1, "Wazuh - Zeus warning log."),
932. (22000, 31203, 15, 173, NULL, 1, 1, "Wazuh - Zeus serious log."),
933. (22000, 31204, 15, 173, NULL, 1, 1, "Wazuh - Zeus fatal log."),
934. (22000, 31205, 15, 173, NULL, 1, 1, "Wazuh - Zeus: Admin authentication failed."),
935. (22000, 31206, 15, 173, NULL, 1, 1, "Wazuh - Zeus: Configuration warning (ignored)."),
936. (22000, 31251, 15, 173, NULL, 1, 1, "Wazuh - Multiple Zeus warnings."),
937. (22000, 31300, 15, 173, NULL, 1, 1, "Wazuh - Nginx messages grouped."),
938. (22000, 31301, 15, 173, NULL, 1, 1, "Wazuh - Nginx error message."),
939. (22000, 31302, 15, 173, NULL, 1, 1, "Wazuh - Nginx warning message."),
940. (22000, 31303, 15, 173, NULL, 1, 1, "Wazuh - Nginx critical message."),
941. (22000, 31310, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Server returned 404 (reported in the access.log)."),
942. (22000, 31311, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Incomplete client request."),
943. (22000, 31312, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Initial 401 authentication request."),
944. (22000, 31315, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Web authentication failed."),
945. (22000, 31316, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Multiple web authentication failures."),
946. (22000, 31317, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Common cache error when files were removed."),
947. (22000, 31320, 15, 173, NULL, 1, 1, "Wazuh - Nginx: Invalid URI, file name too long."),
948. (22000, 31330, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Warning messages grouped"),
949. (22000, 31331, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Access denied messages grouped"),
950. (22000, 31332, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity Audit log messages grouped"),
951. (22000, 31333, 15, 173, NULL, 1, 1, "Wazuh - ModSecurity rejected a query"),
952. (22000, 31401, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
953. (22000, 31402, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
954. (22000, 31403, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
955. (22000, 31404, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
956. (22000, 31405, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
957. (22000, 31406, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
958. (22000, 31410, 15, 173, NULL, 1, 1, "Wazuh - PHP Warning message."),
959. (22000, 31411, 15, 173, NULL, 1, 1, "Wazuh - PHP web attack."),
960. (22000, 31412, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (missing file)."),
961. (22000, 31413, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (server out of space)."),
962. (22000, 31420, 15, 173, NULL, 1, 1, "Wazuh - PHP Fatal error."),
963. (22000, 31421, 15, 173, NULL, 1, 1, "Wazuh - PHP internal error (missing file or function)."),
964. (22000, 31430, 15, 173, NULL, 1, 1, "Wazuh - PHP Parse error."),
965. (22000, 31501, 15, 173, NULL, 1, 1, "Wazuh - WordPress Comment Spam (coming from a fake search engine UA)."),
966. (22000, 31502, 15, 173, NULL, 1, 1, "Wazuh - TimThumb vulnerability exploit attempt."),
967. (22000, 31503, 15, 173, NULL, 1, 1, "Wazuh - osCommerce login.php bypass attempt."),
968. (22000, 31504, 15, 173, NULL, 1, 1, "Wazuh - osCommerce file manager login.php bypass attempt."),
969. (22000, 31505, 15, 173, NULL, 1, 1, "Wazuh - TimThumb backdoor access attempt."),
970. (22000, 31506, 15, 173, NULL, 1, 1, "Wazuh - Cart.php directory transversal attempt."),
971. (22000, 31507, 15, 173, NULL, 1, 1, "Wazuh - MSSQL Injection attempt (ur.php, urchin.js)."),
972. (22000, 31508, 15, 173, NULL, 1, 1, "Wazuh - Blacklisted user agent (known malicious user agent)."),
973. (22000, 31509, 15, 173, NULL, 1, 1, "Wazuh - CMS (WordPress or Joomla) login attempt."),
974. (22000, 31510, 15, 173, NULL, 1, 1, "Wazuh - CMS (WordPress or Joomla) brute force attempt."),
975. (22000, 31511, 15, 173, NULL, 1, 1, "Wazuh - Blacklisted user agent (wget)."),
976. (22000, 31512, 15, 173, NULL, 1, 1, "Wazuh - Uploadify vulnerability exploit attempt."),
977. (22000, 31513, 15, 173, NULL, 1, 1, "Wazuh - BBS delete.php exploit attempt."),
978. (22000, 31514, 15, 173, NULL, 1, 1, "Wazuh - Simple shell.php command execution."),
979. (22000, 31515, 15, 173, NULL, 1, 1, "Wazuh - PHPMyAdmin scans (looking for setup.php)."),
980. (22000, 31516, 15, 173, NULL, 1, 1, "Wazuh - Suspicious URL access."),
981. (22000, 31530, 15, 173, NULL, 1, 1, "Wazuh - POST request received."),
982. (22000, 31531, 15, 173, NULL, 1, 1, "Wazuh - Ignoring often post requests inside /wp-admin and /admin."),
983. (22000, 31533, 15, 173, NULL, 1, 1, "Wazuh - High amount of POST requests in a small period of time (likely bot)."),
984. (22000, 31550, 15, 173, NULL, 1, 1, "Wazuh - Anomaly URL query (attempting to pass null termination)."),
985. (22000, 35000, 15, 173, NULL, 1, 1, "Wazuh - Squid messages grouped."),
986. (22000, 35002, 15, 173, NULL, 1, 1, "Wazuh - Squid generic error codes."),
987. (22000, 35003, 15, 173, NULL, 1, 1, "Wazuh - Squid: Bad request/Invalid syntax."),
988. (22000, 35004, 15, 173, NULL, 1, 1, "Wazuh - Squid: Unauthorized: Failed attempt to access authorization-required file or directory."),
989. (22000, 35005, 15, 173, NULL, 1, 1, "Wazuh - Squid: Forbidden: Attempt to access forbidden file or directory."),
990. (22000, 35006, 15, 173, NULL, 1, 1, "Wazuh - Squid: Not Found: Attempt to access non-existent file or directory."),
991. (22000, 35007, 15, 173, NULL, 1, 1, "Wazuh - Squid: Proxy Authentication Required: User is not authorized to use proxy."),
992. (22000, 35008, 15, 173, NULL, 1, 1, "Wazuh - Squid: 400 error code (request failed)."),
993. (22000, 35009, 15, 173, NULL, 1, 1, "Wazuh - Squid: 500/600 error code (server error)."),
994. (22000, 35010, 15, 173, NULL, 1, 1, "Wazuh - Squid: 503 error code (server unavailable)."),
995. (22000, 35021, 15, 173, NULL, 1, 1, "Wazuh - Squid: Attempt to access a Beagle worm (or variant) file."),
996. (22000, 35022, 15, 173, NULL, 1, 1, "Wazuh - Squid: Attempt to access a worm/trojan related site."),
997. (22000, 35023, 15, 173, NULL, 1, 1, "Wazuh - Squid: Ignored files on a 40x error."),
998. (22000, 35051, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access forbidden file or directory from same source ip."),
999. (22000, 35052, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple unauthorized attempts to use proxy."),
1000. (22000, 35053, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple Bad requests/Invalid syntax."),
1001. (22000, 35054, 15, 173, NULL, 1, 1, "Wazuh - Squid: Infected machine with W32.Beagle.DP."),
1002. (22000, 35055, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access a non-existent file."),
1003. (22000, 35056, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple attempts to access a worm/trojan/virus related web site. System probably infected."),
1004. (22000, 35057, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple 400 error codes (requests failed)."),
1005. (22000, 35058, 15, 173, NULL, 1, 1, "Wazuh - Squid: Multiple 500/600 error codes (server error)."),
1006. (22000, 35095, 15, 173, NULL, 1, 1, "Wazuh - Squid: Ignoring multiple attempts from same source ip (alert only once)."),
1007. (22000, 40101, 15, 173, NULL, 1, 1, "Wazuh - System user successfully logged to the system."),
1008. (22000, 40102, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow attack on rpc.statd"),
1009. (22000, 40103, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow on WU-FTPD versions prior to 2.6"),
1010. (22000, 40104, 15, 173, NULL, 1, 1, "Wazuh - Possible buffer overflow attempt."),
1011. (22000, 40105, 15, 173, NULL, 1, 1, "Wazuh - Null user changed some information."),
1012. (22000, 40106, 15, 173, NULL, 1, 1, "Wazuh - Buffer overflow attempt (probably on yppasswd)."),
1013. (22000, 40107, 15, 173, NULL, 1, 1, "Wazuh - Heap overflow in the Solaris cachefsd service."),
1014. (22000, 40109, 15, 173, NULL, 1, 1, "Wazuh - Stack overflow attempt or program exiting with SEGV (Solaris)."),
1015. (22000, 40111, 15, 173, NULL, 1, 1, "Wazuh - Multiple authentication failures."),
1016. (22000, 40112, 15, 173, NULL, 1, 1, "Wazuh - Multiple authentication failures followed by a success."),
1017. (22000, 40113, 15, 173, NULL, 1, 1, "Wazuh - Multiple viruses detected - Possible outbreak."),
1018. (22000, 40501, 15, 173, NULL, 1, 1, "Wazuh - Attacks followed by the addition of an user."),
1019. (22000, 40601, 15, 173, NULL, 1, 1, "Wazuh - Network scan from same source ip."),
1020. (22000, 40700, 15, 173, NULL, 1, 1, "Wazuh - Systemd rules"),
1021. (22000, 40701, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Stale file handle."),
1022. (22000, 40702, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Failed to get unit state for service. This means that the .service file is missing"),
1023. (22000, 40703, 15, 173, NULL, 1, 1, "Wazuh - Systemd: Service has entered a failed state, and likely has not started."),
1024. (22000, 40900, 15, 173, NULL, 1, 1, "Wazuh - firewalld grouping"),
1025. (22000, 40901, 15, 173, NULL, 1, 1, "Wazuh - firewalld error"),
1026. (22000, 40902, 15, 173, NULL, 1, 1, "Wazuh - firewalld: Incorrect chain/target/match."),
1027. (22000, 40903, 15, 173, NULL, 1, 1, "Wazuh - firewalld: zone already set."),
1028. (22000, 50100, 15, 173, NULL, 1, 1, "Wazuh - MySQL messages grouped."),
1029. (22000, 50105, 15, 173, NULL, 1, 1, "Wazuh - MySQL: authentication success."),
1030. (22000, 50106, 15, 173, NULL, 1, 1, "Wazuh - MySQL: authentication failure."),
1031. (22000, 50107, 15, 173, NULL, 1, 1, "Wazuh - MySQL: query."),
1032. (22000, 50108, 15, 173, NULL, 1, 1, "Wazuh - MySQL: User disconnected from database."),
1033. (22000, 50120, 15, 173, NULL, 1, 1, "Wazuh - MySQL: shutdown messge."),
1034. (22000, 50121, 15, 173, NULL, 1, 1, "Wazuh - MySQL: startup message."),
1035. (22000, 50125, 15, 173, NULL, 1, 1, "Wazuh - MySQL: error."),
1036. (22000, 50126, 15, 173, NULL, 1, 1, "Wazuh - MySQL: fatal error."),
1037. (22000, 50180, 15, 173, NULL, 1, 1, "Wazuh - MySQL: Multiple errors."),
1038. (22000, 50500, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL messages grouped."),
1039. (22000, 50501, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL log message."),
1040. (22000, 50502, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL informational message."),
1041. (22000, 50503, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL error message."),
1042. (22000, 50504, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL error message."),
1043. (22000, 50505, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL debug message."),
1044. (22000, 50510, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database query."),
1045. (22000, 50511, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database authentication success."),
1046. (22000, 50512, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database authentication failure."),
1047. (22000, 50520, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database shutdown messge."),
1048. (22000, 50521, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Database shutdown messge."),
1049. (22000, 50580, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Multiple database errors."),
1050. (22000, 50581, 15, 173, NULL, 1, 1, "Wazuh - PostgreSQL: Multiple database errors."),
1051. (22000, 51000, 15, 173, NULL, 1, 1, "Wazuh - Grouping for dropbear rules."),
1052. (22000, 51001, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Failed to get key exchange value"),
1053. (22000, 51002, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Premature kexdh_init message"),
1054. (22000, 51003, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Bad password attempt."),
1055. (22000, 51093, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Bad password attempt for non existent user."),
1056. (22000, 51004, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: dropbear brute force attempt."),
1057. (22000, 51005, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User disconnected."),
1058. (22000, 51006, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Client exited before authentication."),
1059. (22000, 51007, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: brute force attempt."),
1060. (22000, 51008, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: Incompatible remote version."),
1061. (22000, 51009, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User successfully logged in using a password."),
1062. (22000, 51010, 15, 173, NULL, 1, 1, "Wazuh - Dropbear: User successfully logged in using a public key."),
1063. (22000, 51500, 15, 173, NULL, 1, 1, "Wazuh - Grouping of bsd_kernel alerts"),
1064. (22000, 51501, 15, 173, NULL, 1, 1, "Wazuh - A timeout occurred waiting for a transfer."),
1065. (22000, 51502, 15, 173, NULL, 1, 1, "Wazuh - Check media in optical drive."),
1066. (22000, 51503, 15, 173, NULL, 1, 1, "Wazuh - A disk has timed out."),
1067. (22000, 51504, 15, 173, NULL, 1, 1, "Wazuh - arp info has been overwritten for a host"),
1068. (22000, 51505, 15, 173, NULL, 1, 1, "Wazuh - A filesystem was not properly unmounted, likely system crash"),
1069. (22000, 51506, 15, 173, NULL, 1, 1, "Wazuh - UKC was used, possibly modifying a kernel at boot time."),
1070. (22000, 51507, 15, 173, NULL, 1, 1, "Wazuh - Michael MIC failure: Checksum failure in the tkip protocol."),
1071. (22000, 51508, 15, 173, NULL, 1, 1, "Wazuh - A soft error has been corrected on a hard drive, this is a possible early sign of failure."),
1072. (22000, 51509, 15, 173, NULL, 1, 1, "Wazuh - Unknown acpithinkpad event"),
1073. (22000, 51510, 15, 173, NULL, 1, 1, "Wazuh - System shutdown due to temperature"),
1074. (22000, 51511, 15, 173, NULL, 1, 1, "Wazuh - Unknown ACPI event (bug 6299 in OpenBSD bug tracking system)."),
1075. (22000, 51512, 15, 173, NULL, 1, 1, "Wazuh - USB diagnostic message."),
1076. (22000, 51513, 15, 173, NULL, 1, 1, "Wazuh - Possible APM or ACPI event."),
1077. (22000, 51514, 15, 173, NULL, 1, 1, "Wazuh - Unclean filesystem, run fsck."),
1078. (22000, 51515, 15, 173, NULL, 1, 1, "Wazuh - Timeout in atascsi_passthru_done."),
1079. (22000, 51516, 15, 173, NULL, 1, 1, "Wazuh - Clock battery error 80"),
1080. (22000, 51518, 15, 173, NULL, 1, 1, "Wazuh - I/O error on a storage device"),
1081. (22000, 51519, 15, 173, NULL, 1, 1, "Wazuh - kbc error."),
1082. (22000, 51520, 15, 173, NULL, 1, 1, "Wazuh - USB reset failed, IOERROR."),
1083. (22000, 51521, 15, 173, NULL, 1, 1, "Wazuh - Grouping for groupdel rules."),
1084. (22000, 51522, 15, 173, NULL, 1, 1, "Wazuh - Group deleted."),
1085. (22000, 51523, 15, 173, NULL, 1, 1, "Wazuh - No core dumps."),
1086. (22000, 51524, 15, 173, NULL, 1, 1, "Wazuh - System was rebooted."),
1087. (22000, 51525, 15, 173, NULL, 1, 1, "Wazuh - ftp-proxy cannot connect to a server."),
1088. (22000, 51526, 15, 173, NULL, 1, 1, "Wazuh - Hard drive is dying."),
1089. (22000, 51527, 15, 173, NULL, 1, 1, "Wazuh - CARP master to backup."),
1090. (22000, 51528, 15, 173, NULL, 1, 1, "Wazuh - Duplicate IPv6 address."),
1091. (22000, 51529, 15, 173, NULL, 1, 1, "Wazuh - Could not load a firmware."),
1092. (22000, 51530, 15, 173, NULL, 1, 1, "Wazuh - hotplugd could not open a file."),
1093. (22000, 51531, 15, 173, NULL, 1, 1, "Wazuh - User account deleted."),
1094. (22000, 51532, 15, 173, NULL, 1, 1, "Wazuh - Bad ntp peer."),
1095. (22000, 51533, 15, 173, NULL, 1, 1, "Wazuh - dhclient receive_packet failed."),
1096. (22000, 51534, 15, 173, NULL, 1, 1, "Wazuh - dhclient receive_packet failed due to I/O error."),
1097. (22000, 51535, 15, 173, NULL, 1, 1, "Wazuh - SIOCDIFADDR failed"),
1098. (22000, 51536, 15, 173, NULL, 1, 1, "Wazuh - dhclient: device not configured."),
1099. (22000, 52000, 15, 173, NULL, 1, 1, "Wazuh - Apparmor messages grouped."),
1100. (22000, 52001, 15, 173, NULL, 1, 1, "Wazuh - Apparmor Ignore ALLOWED or STATUS"),
1101. (22000, 52002, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED"),
1102. (22000, 52003, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED exec operation."),
1103. (22000, 52004, 15, 173, NULL, 1, 1, "Wazuh - Apparmor DENIED mknod operation."),
1104. (22000, 52500, 15, 173, NULL, 1, 1, "Wazuh - Clamd messages grouped."),
1105. (22000, 52501, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: database update"),
1106. (22000, 52502, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Virus detected"),
1107. (22000, 52503, 15, 173, NULL, 1, 1, "Wazuh - Clamd error"),
1108. (22000, 52504, 15, 173, NULL, 1, 1, "Wazuh - Clamd warning"),
1109. (22000, 52505, 15, 173, NULL, 1, 1, "Wazuh - Clamd restarted"),
1110. (22000, 52506, 15, 173, NULL, 1, 1, "Wazuh - Clamd database updated"),
1111. (22000, 52507, 15, 173, NULL, 1, 1, "Wazuh - ClamAV database update"),
1112. (22000, 52508, 15, 173, NULL, 1, 1, "Wazuh - ClamAV database updated"),
1113. (22000, 52509, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Could not download the incremental virus definition updates."),
1114. (22000, 52510, 15, 173, NULL, 1, 1, "Wazuh - Clamd stopped"),
1115. (22000, 52511, 15, 173, NULL, 1, 1, "Wazuh - ClamAV: Virus detected multiple times"),
1116. (22000, 53500, 15, 173, NULL, 1, 1, "Wazuh - OpenSMTPd grouping."),
1117. (22000, 53501, 15, 173, NULL, 1, 1, "Wazuh - Message failed."),
1118. (22000, 53502, 15, 173, NULL, 1, 1, "Wazuh - New session created."),
1119. (22000, 53503, 15, 173, NULL, 1, 1, "Wazuh - Session closed."),
1120. (22000, 53504, 15, 173, NULL, 1, 1, "Wazuh - Message accepted."),
1121. (22000, 53505, 15, 173, NULL, 1, 1, "Wazuh - Email delivered."),
1122. (22000, 53506, 15, 173, NULL, 1, 1, "Wazuh - SMTP command not supported."),
1123. (22000, 53507, 15, 173, NULL, 1, 1, "Wazuh - OpenSMTPd: no SSL"),
1124. (22000, 53508, 15, 173, NULL, 1, 1, "Wazuh - Server TLS certificate verification failed."),
1125. (22000, 184665, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 1"),
1126. (22000, 185000, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 2"),
1127. (22000, 185001, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 3"),
1128. (22000, 185002, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 4"),
1129. (22000, 185003, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 5"),
1130. (22000, 185004, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 6"),
1131. (22000, 185005, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 7"),
1132. (22000, 185006, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 8"),
1133. (22000, 185007, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 9"),
1134. (22000, 185008, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 10"),
1135. (22000, 185009, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 11"),
1136. (22000, 185010, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 12"),
1137. (22000, 185011, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 13"),
1138. (22000, 185012, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 14"),
1139. (22000, 185013, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Event 15"),
1140. (22000, 184666, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - svchost.exe"),
1141. (22000, 184667, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - svchost.exe"),
1142. (22000, 184676, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsm.exe"),
1143. (22000, 184677, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - lsm.exe"),
1144. (22000, 184678, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsm.exe is a Parent Image"),
1145. (22000, 184686, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - csrss.exe"),
1146. (22000, 184687, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - csrss.exe"),
1147. (22000, 184696, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsass"),
1148. (22000, 184697, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - lsass.exe"),
1149. (22000, 184698, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - lsass.exe is a Parent Image"),
1150. (22000, 184706, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - winlogon.exe"),
1151. (22000, 184707, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - winlogon.exe"),
1152. (22000, 184716, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - wininit"),
1153. (22000, 184717, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - wininit.exe"),
1154. (22000, 184726, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - smss.exe"),
1155. (22000, 184727, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - smss.exe"),
1156. (22000, 184736, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - taskhost.exe"),
1157. (22000, 184737, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - taskhost.exe"),
1158. (22000, 184746, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - services.exe"),
1159. (22000, 184747, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - services.exe"),
1160. (22000, 184766, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - dllhost.exe"),
1161. (22000, 184767, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - dllhost.exe"),
1162. (22000, 184776, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Suspicious Process - explorer.exe"),
1163. (22000, 184777, 15, 173, NULL, 1, 1, "Wazuh - Sysmon - Legitimate Parent Image - explorer.exe"),
1164. (22000, 500000, 15, 173, NULL, 1, 1, "Wazuh - Unbound grouping."),
1165. (22000, 500001, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Notice grouping."),
1166. (22000, 500002, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Info grouping."),
1167. (22000, 500100, 15, 173, NULL, 1, 1, "Wazuh - Unbound: Can't assign requested address."),
1168. (22000, 500101, 15, 173, NULL, 1, 1, "Wazuh - Unbound: DNS A request."),
1169. (22000, 500102, 15, 173, NULL, 1, 1, "Wazuh - Unbound: DNS AAAA request."),
1170. (22000, 80000, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master messages grouped."),
1171. (22000, 80001, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent messages grouped."),
1172. (22000, 80002, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master started"),
1173. (22000, 80003, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master stopped"),
1174. (22000, 80004, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Permission denied"),
1175. (22000, 80005, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Certificate issue"),
1176. (22000, 80006, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: not run - address in use"),
1177. (22000, 80007, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Manifest Error"),
1178. (22000, 80008, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Error"),
1179. (22000, 80009, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Info"),
1180. (22000, 80010, 15, 173, NULL, 1, 1, "Wazuh - Puppet Master: Deprecated"),
1181. (22000, 80050, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent started"),
1182. (22000, 80051, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent stopped"),
1183. (22000, 80052, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Certificate - Could not request certificate"),
1184. (22000, 80053, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Certificate issue"),
1185. (22000, 80054, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - no file found or does not exist"),
1186. (22000, 80055, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - feature is missing"),
1187. (22000, 80056, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - failed library"),
1188. (22000, 80057, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error - failed to apply catalog"),
1189. (22000, 80058, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: connection refused"),
1190. (22000, 80059, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Error"),
1191. (22000, 80070, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - create or defined content"),
1192. (22000, 80071, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info"),
1193. (22000, 80072, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - applying configuration"),
1194. (22000, 80073, 15, 173, NULL, 1, 1, "Wazuh - Puppet Agent: Info - executing "),
1195. (22000, 80090, 15, 173, NULL, 1, 1, "Wazuh - Command check if puppet runs every 30 min or less"),
1196. (22000, 80091, 15, 173, NULL, 1, 1, "Wazuh - Puppet ran in the last 30 minutes"),
1197. (22000, 80092, 15, 173, NULL, 1, 1, "Wazuh - Puppet did not run in the last 30 minutes"),
1198. (22000, 80100, 15, 173, NULL, 1, 1, "Wazuh - Netscaler messages grouped."),
1199. (22000, 80101, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: AAA module failed to login the user"),
1200. (22000, 80102, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple AAA failed to login the user"),
1201. (22000, 80103, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API command executed"),
1202. (22000, 80104, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API command executed failed"),
1203. (22000, 80105, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple commands failed"),
1204. (22000, 80106, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API dangerous command"),
1205. (22000, 80107, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN login succeeds"),
1206. (22000, 80108, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session logs out"),
1207. (22000, 80109, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ICA application launch has started"),
1208. (22000, 80110, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ICA application has terminated"),
1209. (22000, 80111, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A non-http resource access is denied by policy engine."),
1210. (22000, 80112, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple non-http resource access denied"),
1211. (22000, 80113, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A http resource access is denied by policy engine"),
1212. (22000, 80114, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple http resource access denied"),
1213. (22000, 80115, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session: client security check error"),
1214. (22000, 80116, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SSLVPN session: client security expression evaluates to False"),
1215. (22000, 80117, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP module starts"),
1216. (22000, 80118, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP module stops"),
1217. (22000, 80119, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Started"),
1218. (22000, 80120, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Stopped"),
1219. (22000, 80121, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface started"),
1220. (22000, 80122, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface stopped"),
1221. (22000, 80123, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface in hung state"),
1222. (22000, 80124, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Network interface reset"),
1223. (22000, 80125, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Memory internal error"),
1224. (22000, 80126, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: HA propagation failed"),
1225. (22000, 80127, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall violation"),
1226. (22000, 80128, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall: Appsecure uthread at 0x%x had a stack error"),
1227. (22000, 80129, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Firewall: DOS\DDOS error"),
1228. (22000, 80130, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP Trap Sent"),
1229. (22000, 80131, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: SNMP Trap Dropped"),
1230. (22000, 80132, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: ACL Packet Log"),
1231. (22000, 80133, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: URL Transformation error"),
1232. (22000, 80134, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Login to AAA TM vserver succeeds"),
1233. (22000, 80135, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: AAA TM session logged out"),
1234. (22000, 80136, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: A AAATM http resource access is denied by policy engine"),
1235. (22000, 80137, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple AAATM http resource access denied"),
1236. (22000, 80138, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API login succeeds"),
1237. (22000, 80139, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: UI/API login failed"),
1238. (22000, 80140, 15, 173, NULL, 1, 1, "Wazuh - Netscaler: Multiple UI/API login failed"),
1239. (22000, 80200, 15, 173, NULL, 1, 1, "Wazuh - Amazon alerts."),
1240. (22000, 80201, 15, 173, NULL, 1, 1, "Wazuh - Amazon EC2 alerts."),
1241. (22000, 80202, 15, 173, NULL, 1, 1, "Wazuh - Amazon IAM alerts."),
1242. (22000, 80203, 15, 173, NULL, 1, 1, "Wazuh - Amazon s3 alerts."),
1243. (22000, 80301, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance"),
1244. (22000, 80302, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance InstanceLimit Exceeded"),
1245. (22000, 80303, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run instance unauthorized"),
1246. (22000, 80304, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Run Instances error"),
1247. (22000, 80305, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance started"),
1248. (22000, 80306, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Start instance unauthorized"),
1249. (22000, 80307, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Start Instances error"),
1250. (22000, 80308, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance stopped"),
1251. (22000, 80309, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop instance unauthorized"),
1252. (22000, 80310, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop instance Invalid Instance ID Not Found"),
1253. (22000, 80311, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Stop Instances error"),
1254. (22000, 80312, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Instance terminated"),
1255. (22000, 80313, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Terminate instance unauthorized"),
1256. (22000, 80314, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Terminate Instances error"),
1257. (22000, 80315, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance attribute"),
1258. (22000, 80316, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance attribute unauthorized"),
1259. (22000, 80317, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance Invalid Parameter Value"),
1260. (22000, 80318, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Instance Attribute error"),
1261. (22000, 80319, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Attached"),
1262. (22000, 80320, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Attached Unauthorized"),
1263. (22000, 80321, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Network Interface error"),
1264. (22000, 80322, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Detached"),
1265. (22000, 80323, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Network Interface Detached Unauthorized"),
1266. (22000, 80324, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Network Interface error"),
1267. (22000, 80325, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address"),
1268. (22000, 80326, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Unauthorized"),
1269. (22000, 80327, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Unauthorized"),
1270. (22000, 80328, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address error"),
1271. (22000, 80329, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Monitor Instances"),
1272. (22000, 80330, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Monitor Instances"),
1273. (22000, 80331, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: MonitorInstances error"),
1274. (22000, 80332, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Unmonitor Instances"),
1275. (22000, 80333, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Unmonitor Instances Unauthorized"),
1276. (22000, 80334, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: UnmonitorInstances error"),
1277. (22000, 80335, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute"),
1278. (22000, 80336, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute Unauthorized"),
1279. (22000, 80337, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Network Interface Attribute error"),
1280. (22000, 80338, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Image"),
1281. (22000, 80339, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Image Unauthorized"),
1282. (22000, 80340, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances"),
1283. (22000, 80341, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances Unauthorized"),
1284. (22000, 80342, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Reboot Instances error"),
1285. (22000, 80350, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI"),
1286. (22000, 80351, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI Unauthorized"),
1287. (22000, 80352, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create AMI error"),
1288. (22000, 80353, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister AMI"),
1289. (22000, 80354, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister AMI Unauthorized"),
1290. (22000, 80355, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Deregister Image error"),
1291. (22000, 80356, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute"),
1292. (22000, 80357, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute Unauthorized"),
1293. (22000, 80358, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Image Attribute error"),
1294. (22000, 80359, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image"),
1295. (22000, 80360, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image Invalid Manifest"),
1296. (22000, 80361, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image Unauthorized"),
1297. (22000, 80362, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Register Image error"),
1298. (22000, 80370, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume"),
1299. (22000, 80371, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume Unauthorized"),
1300. (22000, 80372, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume error"),
1301. (22000, 80373, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume"),
1302. (22000, 80374, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume Unauthorized"),
1303. (22000, 80375, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Attach Volume error"),
1304. (22000, 80376, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Detach Volume"),
1305. (22000, 80377, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Detach Volume Unauthorized"),
1306. (22000, 80378, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Volume error"),
1307. (22000, 80379, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot"),
1308. (22000, 80380, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot Unauthorized"),
1309. (22000, 80381, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Snapshot error"),
1310. (22000, 80382, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute"),
1311. (22000, 80383, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute Unauthorized"),
1312. (22000, 80384, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Volume Attribute error"),
1313. (22000, 80385, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags"),
1314. (22000, 80386, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags Unauthorized"),
1315. (22000, 80387, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Create Tags error"),
1316. (22000, 80388, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags"),
1317. (22000, 80389, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags Unauthorized"),
1318. (22000, 80390, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2-vpc: Delete Tags error"),
1319. (22000, 80391, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume"),
1320. (22000, 80392, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume Unauthorized"),
1321. (22000, 80393, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Volume error"),
1322. (22000, 80394, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute"),
1323. (22000, 80395, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute Unauthorized"),
1324. (22000, 80396, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Modify Snapshot Attribute error"),
1325. (22000, 80397, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot"),
1326. (22000, 80398, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot Unauthorized"),
1327. (22000, 80399, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Copy Snapshot error"),
1328. (22000, 80400, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot"),
1329. (22000, 80401, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot Unauthorized"),
1330. (22000, 80402, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot Invalid in use"),
1331. (22000, 80403, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Snapshot error"),
1332. (22000, 80404, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group"),
1333. (22000, 80405, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group Snapshot Unauthorized"),
1334. (22000, 80406, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group Invalid Parameter Value"),
1335. (22000, 80407, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Security Group error"),
1336. (22000, 80408, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group"),
1337. (22000, 80409, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group Snapshot Unauthorized"),
1338. (22000, 80410, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Security Group error"),
1339. (22000, 80411, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address"),
1340. (22000, 80412, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address Unauthorized"),
1341. (22000, 80413, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address Limit Exceeded"),
1342. (22000, 80414, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Allocate Address error"),
1343. (22000, 80415, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address"),
1344. (22000, 80416, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Missing Parameter"),
1345. (22000, 80417, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Invalid Association ID Not Found"),
1346. (22000, 80418, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address Invalid Parameter Value"),
1347. (22000, 80419, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Disassociate Address error"),
1348. (22000, 80420, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Placement Group"),
1349. (22000, 80421, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Plazament Group Unauthorized Operation"),
1350. (22000, 80422, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Plazament Group error"),
1351. (22000, 80423, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Placement Group"),
1352. (22000, 80424, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Plazament Group Unauthorized Operation"),
1353. (22000, 80425, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Plazament Group error"),
1354. (22000, 80426, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security GroupIngress"),
1355. (22000, 80427, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Unauthorized Operation"),
1356. (22000, 80428, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Invalid Parameter Value"),
1357. (22000, 80429, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Ingress Missing Parameter"),
1358. (22000, 80430, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Invalid GroupId Malformed"),
1359. (22000, 80431, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group Invalid Group Not found"),
1360. (22000, 80432, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Authorize Security Group error"),
1361. (22000, 80433, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security GroupIngress"),
1362. (22000, 80434, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Unauthorized Operation"),
1363. (22000, 80435, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Parameter Value"),
1364. (22000, 80436, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Missing Parameter"),
1365. (22000, 80437, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Group ID Malformed"),
1366. (22000, 80438, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group Ingress Invalid Group Not Found"),
1367. (22000, 80439, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Revoke Security Group error"),
1368. (22000, 80440, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer"),
1369. (22000, 80441, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer Access Denied"),
1370. (22000, 80442, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Create Load Balancer error"),
1371. (22000, 80443, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer"),
1372. (22000, 80444, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer Access Denied"),
1373. (22000, 80445, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Delete Load Balancer error"),
1374. (22000, 80446, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address"),
1375. (22000, 80447, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address Access Denied"),
1376. (22000, 80448, 15, 173, NULL, 1, 1, "Wazuh - Amazon-ec2: Associate Elastic IP's Address error"),
1377. (22000, 81000, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Vpc Created"),
1378. (22000, 81001, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Vpc Created Unauthorized Operation"),
1379. (22000, 81002, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Vpc Limit Exceeded"),
1380. (22000, 81003, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Vpc create error"),
1381. (22000, 81004, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Asssociate Dhcp Options"),
1382. (22000, 81005, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Associate Dhcp Options Unauthorized Operation"),
1383. (22000, 81006, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Associate Dhcp Options error"),
1384. (22000, 81007, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Crete Subnet"),
1385. (22000, 81008, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Unauthorized Operation"),
1386. (22000, 81009, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Invalid Subnet range"),
1387. (22000, 81010, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Crete Subnet error"),
1388. (22000, 81011, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Modify Subnet Attribute"),
1389. (22000, 81012, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Crete Subnet Unauthorized Operation"),
1390. (22000, 81013, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Modify Subnet Attribute error"),
1391. (22000, 81014, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table"),
1392. (22000, 81015, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Create Route Table Unauthorized Operation"),
1393. (22000, 81016, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
1394. (22000, 81017, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Associate Route Table"),
1395. (22000, 81018, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Associate Route Table Unauthorized Operation"),
1396. (22000, 81019, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
1397. (22000, 81020, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Disassociate Route Table"),
1398. (22000, 81021, 15, 173, NULL, 1, 1, "Wazuh - Amazon-Vpc: Disassociate Route Table Unauthorized Operation"),
1399. (22000, 81022, 15, 173, NULL, 1, 1, "Wazuh - Amazon-vpc: Create Route Table error"),
1400. (22000, 80500, 15, 173, NULL, 1, 1, "Wazuh - Serv-u messages grouped."),
1401. (22000, 80501, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Server started"),
1402. (22000, 80502, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Domain started"),
1403. (22000, 80503, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in"),
1404. (22000, 80504, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged out"),
1405. (22000, 80505, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Invalid credentials"),
1406. (22000, 80506, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Multiple authentication failures."),
1407. (22000, 80507, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Session timeout"),
1408. (22000, 80508, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Closed session"),
1409. (22000, 80509, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Remote host connected"),
1410. (22000, 80510, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Event"),
1411. (22000, 80511, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File downloaded"),
1412. (22000, 80512, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File uploaded"),
1413. (22000, 80513, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File deleted"),
1414. (22000, 80514, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File/Directory renamed"),
1415. (22000, 80515, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Directory created"),
1416. (22000, 80516, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Directory deleted"),
1417. (22000, 80517, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: File with extension .exe uploaded"),
1418. (22000, 80518, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in FTP/FTPS"),
1419. (22000, 80519, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in SFTP (SSH)"),
1420. (22000, 80520, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: User logged in HTTP/HTTPS"),
1421. (22000, 80521, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: Attempt to login using anonymous user"),
1422. (22000, 80522, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: FTP/FTPS Permision denied"),
1423. (22000, 80523, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: SFTP (SSH) Permision denied"),
1424. (22000, 80524, 15, 173, NULL, 1, 1, "Wazuh - Serv-U: HTTP/HTTPS Permision denied"),
1425. (22000, 80700, 15, 173, NULL, 1, 1, "Wazuh - Audit: messages grouped."),
1426. (22000, 80701, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Start / Resume"),
1427. (22000, 80702, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Start / Resume FAILED"),
1428. (22000, 80703, 15, 173, NULL, 1, 1, "Wazuh - Auditd: End"),
1429. (22000, 80704, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Abort"),
1430. (22000, 80705, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Configuration changed"),
1431. (22000, 80710, 15, 173, NULL, 1, 1, "Wazuh - Auditd: device enables promiscuous mode"),
1432. (22000, 80711, 15, 173, NULL, 1, 1, "Wazuh - Auditd: process ended abnormally"),
1433. (22000, 80712, 15, 173, NULL, 1, 1, "Wazuh - Auditd: execution of a file ended abnormally"),
1434. (22000, 80713, 15, 173, NULL, 1, 1, "Wazuh - Auditd: file is made executable"),
1435. (22000, 80714, 15, 173, NULL, 1, 1, "Wazuh - Auditd: file or a directory access ended abnormally"),
1436. (22000, 80715, 15, 173, NULL, 1, 1, "Wazuh - Auditd: failure of the Abstract Machine Test Utility (AMTU) detected"),
1437. (22000, 80716, 15, 173, NULL, 1, 1, "Wazuh - Auditd: maximum amount of Discretionary Access Control (DAC) or Mandatory Access Control (MAC) failures reached"),
1438. (22000, 80717, 15, 173, NULL, 1, 1, "Wazuh - Auditd: Role-Based Access Control (RBAC) failure detected."),
1439. (22000, 80718, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account addition ended abnormally."),
1440. (22000, 80719, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account deletion ended abnormally."),
1441. (22000, 80720, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user-space account modification ended abnormally."),
1442. (22000, 80721, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user becomes root"),
1443. (22000, 80722, 15, 173, NULL, 1, 1, "Wazuh - Auditd: account login attempt ended abnormally."),
1444. (22000, 80723, 15, 173, NULL, 1, 1, "Wazuh - Auditd: limit of failed login attempts reached."),
1445. (22000, 80724, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt from a forbidden location."),
1446. (22000, 80725, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt reached the maximum amount of concurrent sessions."),
1447. (22000, 80726, 15, 173, NULL, 1, 1, "Wazuh - Auditd: login attempt is made at a time when it is prevented by."),
1448. (22000, 80730, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux permission check"),
1449. (22000, 80731, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux mode (enforcing, permissive, off) is changed"),
1450. (22000, 80732, 15, 173, NULL, 1, 1, "Wazuh - Auditd: SELinux error"),
1451. (22000, 80740, 15, 173, NULL, 1, 1, "Wazuh - Auditd: replay attack detected"),
1452. (22000, 80741, 15, 173, NULL, 1, 1, "Wazuh - Auditd: group ID changed"),
1453. (22000, 80742, 15, 173, NULL, 1, 1, "Wazuh - Auditd: user ID changed"),
1454. (22000, 80780, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access"),
1455. (22000, 80781, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access: $(audit.file.name)"),
1456. (22000, 80782, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Write access: $(audit.directory.name)"),
1457. (22000, 80783, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access"),
1458. (22000, 80784, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access: $(audit.file.name)"),
1459. (22000, 80785, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Read access: $(audit.directory.name)"),
1460. (22000, 80786, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute"),
1461. (22000, 80787, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute: $(audit.file.name)"),
1462. (22000, 80788, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Change attribute: $(audit.directory.name)"),
1463. (22000, 80789, 15, 173, NULL, 1, 1, "Wazuh - Audit: Watch - Execute access: $(audit.file.name)"),
1464. (22000, 80790, 15, 173, NULL, 1, 1, "Wazuh - Audit: Created: $(audit.file.name)"),
1465. (22000, 80791, 15, 173, NULL, 1, 1, "Wazuh - Audit: Deleted: $(audit.file.name)"),
1466. (22000, 80792, 15, 173, NULL, 1, 1, "Wazuh - Audit: Command: $(audit.exe)"),
1467. (22000, 80801, 15, 173, NULL, 1, 1, "Wazuh - Amazon-signin: User Login Success"),
1468. (22000, 80802, 15, 173, NULL, 1, 1, "Wazuh - Amazon-signin: User Login failed"),
1469. (22000, 80803, 15, 173, NULL, 1, 1, "Wazuh - Possible breakin attempt (high number of login attempts)."),
1470. (22000, 80861, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User created"),
1471. (22000, 80862, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User creation denied"),
1472. (22000, 80863, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User creation error"),
1473. (22000, 80864, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group"),
1474. (22000, 80865, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group denied"),
1475. (22000, 80866, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User added to a group error"),
1476. (22000, 80867, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group"),
1477. (22000, 80868, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group denied"),
1478. (22000, 80869, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User removed from a group error"),
1479. (22000, 80870, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated"),
1480. (22000, 80871, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated denied"),
1481. (22000, 80872, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Access key updated error"),
1482. (22000, 80873, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group"),
1483. (22000, 80874, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group denied"),
1484. (22000, 80875, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy attached to a group error"),
1485. (22000, 80876, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group"),
1486. (22000, 80877, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group denied"),
1487. (22000, 80878, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group policy deattached to a group error"),
1488. (22000, 80879, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user"),
1489. (22000, 80880, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user denied"),
1490. (22000, 80881, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy attached to a user error"),
1491. (22000, 80882, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user"),
1492. (22000, 80883, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user denied"),
1493. (22000, 80884, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: User policy deattached to a user error"),
1494. (22000, 80885, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user"),
1495. (22000, 80886, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user denied"),
1496. (22000, 80887, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy attached to a user error"),
1497. (22000, 80888, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user"),
1498. (22000, 80889, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user denied"),
1499. (22000, 80890, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Rule policy deattached to a user error"),
1500. (22000, 80891, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group created"),
1501. (22000, 80892, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group creation denied"),
1502. (22000, 80893, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Group creation error"),
1503. (22000, 80894, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role created"),
1504. (22000, 80895, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role creation denied"),
1505. (22000, 80896, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Role creation error"),
1506. (22000, 80897, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy created"),
1507. (22000, 80898, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy creation denied"),
1508. (22000, 80899, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy creation error"),
1509. (22000, 80900, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update"),
1510. (22000, 80901, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update denied"),
1511. (22000, 80902, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Policy password account update error"),
1512. (22000, 80903, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias created"),
1513. (22000, 80904, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Create Account Alias error"),
1514. (22000, 80905, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias deleted"),
1515. (22000, 80906, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete account alias error"),
1516. (22000, 80907, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Account alias updated"),
1517. (22000, 80908, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Update Instance Alias error"),
1518. (22000, 80909, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get Group"),
1519. (22000, 80910, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The group cant be found"),
1520. (22000, 80911, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get group error"),
1521. (22000, 80912, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Get Group"),
1522. (22000, 80913, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The group cant be listed"),
1523. (22000, 80914, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List group error"),
1524. (22000, 80915, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List Users"),
1525. (22000, 80916, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The users cant be listed"),
1526. (22000, 80917, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: List users error"),
1527. (22000, 80918, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete user"),
1528. (22000, 80919, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: The users can't be deleted"),
1529. (22000, 80920, 15, 173, NULL, 1, 1, "Wazuh - Amazon-iam: Delete user error"),
1530. (22000, 80921, 15, 173, NULL, 1, 1, "Wazuh - Attempts to delete the KMS keys/users."),
1531. (22000, 80922, 15, 173, NULL, 1, 1, "Wazuh - Access to KMS keys/users."),
1532. (22000, 81100, 15, 173, NULL, 1, 1, "Wazuh - USB messages grouped."),
1533. (22000, 81101, 15, 173, NULL, 1, 1, "Wazuh - Attached USB Storage"),
1534. (22000, 81300, 15, 173, NULL, 1, 1, "Wazuh - Redis messages grouped."),
1535. (22000, 81301, 15, 173, NULL, 1, 1, "Wazuh - Redis: started"),
1536. (22000, 81302, 15, 173, NULL, 1, 1, "Wazuh - Redis: shutdown"),
1537. (22000, 81303, 15, 173, NULL, 1, 1, "Wazuh - Redis: Warning / Error"),
1538. (22000, 81304, 15, 173, NULL, 1, 1, "Wazuh - Redis: Client connected"),
1539. (22000, 81305, 15, 173, NULL, 1, 1, "Wazuh - Redis: Client closed connection"),
1540. (22000, 81400, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP messages grouped."),
1541. (22000, 81401, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation started."),
1542. (22000, 81402, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation finished."),
1543. (22000, 81403, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Evaluation finished with some failures."),
1544. (22000, 81501, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: Error messages grouped."),
1545. (22000, 81502, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: OpenSCAP not installed."),
1546. (22000, 81503, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Impossible to execute OpenSCAP."),
1547. (22000, 81504, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Inexistent policy."),
1548. (22000, 81505, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Invalid policy."),
1549. (22000, 81506, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Problem executing oscap."),
1550. (22000, 81507, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Wrong configuration - Inexistent profile."),
1551. (22000, 81508, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: Timeout expired"),
1552. (22000, 81509, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP ERROR: xsltproc not installed."),
1553. (22000, 81520, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP XCCDF messages grouped."),
1554. (22000, 81521, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (passed)"),
1555. (22000, 81522, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not checked)"),
1556. (22000, 81523, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not applied)"),
1557. (22000, 81524, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (fixed)"),
1558. (22000, 81525, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (informational)"),
1559. (22000, 81526, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (error)"),
1560. (22000, 81527, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (unknown)"),
1561. (22000, 81528, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not selected)"),
1562. (22000, 81529, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
1563. (22000, 81530, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
1564. (22000, 81531, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
1565. (22000, 81540, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview."),
1566. (22000, 81541, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 90"),
1567. (22000, 81542, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 80"),
1568. (22000, 81543, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 50"),
1569. (22000, 81544, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 30"),
1570. (22000, 81550, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP OVAL messages grouped."),
1571. (22000, 81551, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (passed)"),
1572. (22000, 81552, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP: $(oscap.check.title) (not passed)"),
1573. (22000, 81560, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview."),
1574. (22000, 81561, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 90"),
1575. (22000, 81562, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 80"),
1576. (22000, 81563, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 50"),
1577. (22000, 81564, 15, 173, NULL, 1, 1, "Wazuh - OpenSCAP Report overview: Score less than 30"),
1578. (22000, 81600, 15, 173, NULL, 1, 1, "Wazuh - Fortigat v3 messages grouped."),
1579. (22000, 81601, 15, 173, NULL, 1, 1, "Wazuh - Fortigate v4 messages grouped."),
1580. (22000, 81602, 15, 173, NULL, 1, 1, "Wazuh - Fortigate v5 messages grouped."),
1581. (22000, 81603, 15, 173, NULL, 1, 1, "Wazuh - Fortigate messages grouped."),
1582. (22000, 81604, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: IP Sec DPD Failed."),
1583. (22000, 81605, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall drop events from same source."),
1584. (22000, 81606, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Login failed."),
1585. (22000, 81607, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple failed login events from same source."),
1586. (22000, 81608, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Configuration changed."),
1587. (22000, 81609, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple changed configuration events from same source."),
1588. (22000, 81610, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Default tunneling setting. Could be IPS."),
1589. (22000, 81611, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple default tunneling setting events from same source."),
1590. (22000, 81612, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Firewall configuration changes"),
1591. (22000, 81613, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall edit events from same source."),
1592. (22000, 81614, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: SSL VPN User failed login attempt"),
1593. (22000, 81615, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall SSL VPN failed login events from same source."),
1594. (22000, 81616, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: User logout successful"),
1595. (22000, 81617, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall logout events from same source."),
1596. (22000, 81618, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Traffic to be aware of."),
1597. (22000, 81619, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple high traffic events from same source."),
1598. (22000, 81620, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: URL Blocked by Firewall."),
1599. (22000, 81621, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple URL blocked from same source."),
1600. (22000, 81622, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: VPN User connected."),
1601. (22000, 81623, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple vpn user connected from same source."),
1602. (22000, 81624, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: VPN User disconnected."),
1603. (22000, 81625, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple user disconnected events from same source."),
1604. (22000, 81626, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: User successfully logged into firewall interface."),
1605. (22000, 81627, 15, 173, NULL, 1, 1, "Wazuh - Fortigate: Multiple Firewall login events from same source."),
1606. (22000, 81628, 15, 173, NULL, 1, 1, "Wazuh - Fortigate Attack Detected"),
1607. (22000, 81629, 15, 173, NULL, 1, 1, "Wazuh - Fortigate Attack Dropped"),
1608. (22000, 81700, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI messages grouped."),
1609. (22000, 81701, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Emergency event"),
1610. (22000, 81702, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Alert event"),
1611. (22000, 81703, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Critical event"),
1612. (22000, 81704, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Error event"),
1613. (22000, 81705, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Warning event"),
1614. (22000, 81706, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Notification event"),
1615. (22000, 81707, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Informational event"),
1616. (22000, 81708, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Debug event"),
1617. (22000, 81709, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI - Warning event: Authentication failure"),
1618. (22000, 81710, 15, 173, NULL, 1, 1, "Wazuh - HP 5500 EI: Multiple authentication failures."),
1619. (22000, 81800, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN messages grouped."),
1620. (22000, 81801, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: User logged in"),
1621. (22000, 81802, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Concurrent connections"),
1622. (22000, 81803, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Connection Certificate Failed"),
1623. (22000, 81804, 15, 173, NULL, 1, 1, "Wazuh - OpenVPN: Certificate failed - Possible revoked user"),
1624. (22000, 81900, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager messages grouped."),
1625. (22000, 81901, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Loging event"),
1626. (22000, 81902, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Authentication success"),
1627. (22000, 81903, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Authentication fail"),
1628. (22000, 81904, 15, 173, NULL, 1, 1, "Wazuh - RSA Authentication Manager: Multiple authentication failures."),
1629. (22000, 82000, 15, 173, NULL, 1, 1, "Wazuh - Imperva messages grouped."),
1630. (22000, 82001, 15, 173, NULL, 1, 1, "Wazuh - Imperva: Event with high severity"),
1631. (22000, 82100, 15, 173, NULL, 1, 1, "Wazuh - Sophos alerts."),
1632. (22000, 82101, 15, 173, NULL, 1, 1, "Wazuh - Sophos Cloud Scheduled Scan started"),
1633. (22000, 82102, 15, 173, NULL, 1, 1, "Wazuh - Sophos Cloud Scheduled Scan completed"),
1634. (22000, 82103, 15, 173, NULL, 1, 1, "Wazuh - User has started on-access scanning for this machine."),
1635. (22000, 82104, 15, 173, NULL, 1, 1, "Wazuh - User has stopped on-access scanning for this machine."),
1636. (22000, 82105, 15, 173, NULL, 1, 1, "Wazuh - Sophos database updated"),
1637. (22000, 82200, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA syslog."),
1638. (22000, 82201, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA (apache format)"),
1639. (22000, 82202, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA messages grouped."),
1640. (22000, 82203, 15, 173, NULL, 1, 1, "Wazuh - FreeIPA: Authentication fail"),
1641. (22000, 82400, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer messages grouped."),
1642. (22000, 82401, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL failed login attempt"),
1643. (22000, 82402, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL login attempt from unauthorized location"),
1644. (22000, 82403, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL client authentication bypass attempt"),
1645. (22000, 82404, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: SERVER-MYSQL show databases attempt"),
1646. (22000, 82405, 15, 173, NULL, 1, 1, "Wazuh - Cisco eStreamer: APP-DETECT DNS request for potential malware"),
1647. (22000, 83000, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender messages grouped."),
1648. (22000, 83001, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender: detected potentially unwanted software"),
1649. (22000, 83002, 15, 173, NULL, 1, 1, "Wazuh - Windows Defender: error when taking action on potentially unwanted software"),
1650. (22000, 83200, 15, 173, NULL, 1, 1, "Wazuh - The audit log was cleared"),
1651. (22000, 83201, 15, 173, NULL, 1, 1, "Wazuh - The Internet Explorer log file was cleared"),
1652. (22000, 83202, 15, 173, NULL, 1, 1, "Wazuh - The Event log service was started"),
1653. (22000, 85000, 15, 173, NULL, 1, 1, "Wazuh - SQL Server messages."),
1654. (22000, 85001, 15, 173, NULL, 1, 1, "Wazuh - Starting up database."),
1655. (22000, 85002, 15, 173, NULL, 1, 1, "Wazuh - Attempting to load library."),
1656. (22000, 85003, 15, 173, NULL, 1, 1, "Wazuh - SQL Server process ID."),
1657. (22000, 85004, 15, 173, NULL, 1, 1, "Wazuh - SQL Server login success."),
1658. (22000, 85005, 15, 173, NULL, 1, 1, "Wazuh - SQL Server login failed."),
1659. (22000, 85006, 15, 173, NULL, 1, 1, "Wazuh - SQL Server: Multiple authentication failures."),
1660. (22000, 85007, 15, 173, NULL, 1, 1, "Wazuh - SQL Server library use."),
1661. (22000, 85008, 15, 173, NULL, 1, 1, "Wazuh - SQL Server Network Interface library unregistered "),
1662. (22000, 85009, 15, 173, NULL, 1, 1, "Wazuh - SQL Server error."),
1663. (22000, 85010, 15, 173, NULL, 1, 1, "Wazuh - SQL Server filestream information."),
1664. (22000, 85500, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard Log."),
1665. (22000, 85501, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard: User authentication failed."),
1666. (22000, 85502, 15, 173, NULL, 1, 1, "Wazuh - Identity Guard: Multiple authentication failures."),
1667. (22000, 85750, 15, 173, NULL, 1, 1, "Wazuh - MongoDB messages"),
1668. (22000, 85751, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Fatal message"),
1669. (22000, 85752, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Error message"),
1670. (22000, 85753, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Warning message"),
1671. (22000, 85754, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Debug message"),
1672. (22000, 85755, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Informational message"),
1673. (22000, 85756, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Connection accepted"),
1674. (22000, 85757, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: End connection"),
1675. (22000, 85758, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Successfully authentication"),
1676. (22000, 85759, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Failed authentication"),
1677. (22000, 85760, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Multiple authentication failures."),
1678. (22000, 85761, 15, 173, NULL, 1, 1, "Wazuh - MongoDB: Execute commands without the necessary privileges"),
1679. (22000, 86000, 15, 173, NULL, 1, 1, "Wazuh - Docker messages"),
1680. (22000, 86001, 15, 173, NULL, 1, 1, "Wazuh - Docker: Information message"),
1681. (22000, 86002, 15, 173, NULL, 1, 1, "Wazuh - Docker: Warning message"),
1682. (22000, 86003, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error message"),
1683. (22000, 86004, 15, 173, NULL, 1, 1, "Wazuh - Docker: Fatal message"),
1684. (22000, 86005, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error - unauthorized action"),
1685. (22000, 86006, 15, 173, NULL, 1, 1, "Wazuh - Docker: Error - denied action"),
1686. (22000, 86250, 15, 173, NULL, 1, 1, "Wazuh - Jenkins messages"),
1687. (22000, 86251, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Information message"),
1688. (22000, 86252, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Warning message"),
1689. (22000, 86253, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Severe message"),
1690. (22000, 86254, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Installation successful"),
1691. (22000, 86255, 15, 173, NULL, 1, 1, "Wazuh - Jenkins: Started SSHD"),
1692. (22000, 86501, 15, 173, NULL, 1, 1, "Wazuh - Object Deleted."),
1693. (22000, 86502, 15, 173, NULL, 1, 1, "Wazuh - Object Deleted."),
1694. (22000, 86503, 15, 173, NULL, 1, 1, "Wazuh - S3 deleted object (high number of deleted object)."),
1695. (22000, 86800, 15, 173, NULL, 1, 1, "Wazuh - VShell message grouped."),
1696. (22000, 86801, 15, 173, NULL, 1, 1, "Wazuh - VShell connection attempt successful"),
1697. (22000, 86802, 15, 173, NULL, 1, 1, "Wazuh - VShell user failed to login or user does not exist"),
1698. (22000, 86803, 15, 173, NULL, 1, 1, "Wazuh - VShell user used the maximum number of password attempts."),
1699. (22000, 86804, 15, 173, NULL, 1, 1, "Wazuh - Host is trying to connect to VShell server but exists in the deny file."),
1700. (22000, 86805, 15, 173, NULL, 1, 1, "Wazuh - VShell user successfully authenticated."),
1701. (22000, 86806, 15, 173, NULL, 1, 1, "Wazuh - VShell multiple connection attempts within 2 minute by a host in the deny file, potential DOS or brute force attempt."),
1702. (22000, 86807, 15, 173, NULL, 1, 1, "Wazuh - VShell host has exceeded the number of failed login attempts and has been added to the Hosts Deny file."),
1703. (22000, 100001, 15, 173, NULL, 1, 1, "Wazuh - sshd: authentication failed from IP 1.1.1.1.");