Hi George, how is the format of a Windows log expected by OSSEC from a Windows agent?
Your last example is the format. Try wiht ossec-logtest: 2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft- Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. **Phase 1: Completed pre-decoding. full event: '2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.' hostname: 'LinMV' program_name: '(null)' log: '2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed.' **Phase 2: Completed decoding. decoder: 'windows' status: 'AUDIT_SUCCESS' id: '4624' extra_data: 'Microsoft-Windows-Security-Auditing' dstuser: 'Administrator' system_name: 'WIN2012' **Phase 3: Completed filtering (rules). Rule id: '100011' Level: '5' Description: 'Bad user' **Alert to be generated. If you want, you can create specific decoders for other format, but I don't see why you need that. Regards. Jesus Linares. On Monday, March 7, 2016 at 3:53:39 AM UTC+1, gp85...@gmail.com wrote: > > Hello, > > I was wondering if there is a guide on how to write decoders for Windows > Server 2008 and 2012 Security logs. I am more interested in the standard > raw Windows log. With UNIX it is very straight forward because of the > standard syslog output, but Windows without knowing how the raw log entry > looks like, it seems to be impossible to write the regular expressions > needed to parse a message. For example on Linux, an auditd log entry has a > known format: > >> /var/log/audit/audit.log:type=USER_START msg=audit(1457067617.649:348): >> pid=2326 uid=0 auid=1000 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 >> msg='op=PAM:session_open >> grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring >> >> acct="master" exe="/usr/libexec/gdm-session-worker" hostname=? addr=? >> terminal=/dev/tty2 res=success >> > while Windows has a different log format. Looking at a Windows Security > event log in CSV, TXT, XML or event snare the format looks different from > each other. > > Example of the CSV and TXT format of Windows log > >> 3/3/2016 5:12:44 PM,Microsoft-Windows-Security-Auditing,5158,Filtering >> Platform Connection,"The Windows Filtering Platform has permitted a bind to >> a local port. >> >> Application Information: >> Process ID: 2560 >> Application Name: \device\harddiskvolume2\program files >> (x86)\ossec-agent\ossec-agent.exe >> >> Network Information: >> Source Address: 0.0.0.0 >> Source Port: 54639 >> Protocol: 17 >> >> Filter Information: >> Filter Run-Time ID: 0 >> Layer Name: Resource Assignment >> Layer Run-Time ID: 36" >> > > Snare sends Windows logs to rsyslog in the following format > >> Mar 05 23:26:31 WIN2012 5905 4656 (File System) Security >> Microsoft-Windows-Security-Auditing WIN2012\Administrator N/A >> Success Audit A handle to an object was requested. Subject: Security ID: >> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator >> Account Domain: WIN2012 Logon ID: 0x25CD8 Object: Object Server: Security >> Object Type: File Object Name: C:\Users\Administrator\Desktop\AuditTest\F1 >> Handle ID: 0x1238 Resource Attributes: - Process Information: Process ID: >> 0xa3c Process Name: C:\Windows\explorer.exe Access Request Information: >> Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: >> READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by >> Ownership ReadAttributes: Granted by D:(A;OICIID;FA;;;WD) Access Mask: >> 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0 >> >> > OSSEC log from a windows agent > >> 2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): >> Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An >> account was successfully logged on. Subject: Security ID: S-1-5-18 >> Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7 >> Logon Type: 2 New Logon: Security ID: >> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator >> Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID: >> {00000000-0000-0000-0000-000000000000} Process Information: Process ID: >> 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network >> Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1 >> Source Port: 0 Detailed Authentication Information: Logon Process: >> User32 Authentication Package: Negotiate Transited Services: - Package >> Name (NTLM only): - Key Length: 0 This event is generated when a logon >> session is created. It is generated on the computer that was accessed. >> >> > My question in other words should probably be, how is the format of a > Windows log expected by OSSEC from a Windows agent? As you can see not all > fields are in the same location as the last sample of the OSSEC log, and > this is why I am encountering difficulty in creating a proper custom > decoder for Windows. > > Cheers, > George > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.