It seems the output of ossec-logtest is cut in the previous post. I paste it here again:
2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1 .hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\ Explorer.EXE **Phase 1: Completed pre-decoding. full event: '2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' hostname: 'ip-10-0-0-10' program_name: '(null)' log: '2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' **Phase 2: Completed decoding. decoder: 'windows' status: 'C:\Users\administrator\Desktop\svchost.exe' dstuser: 'HACKME\Administrator' url: 'C019D10F80409FC4C7D45EBFA48B0076' extra_data: 'C:\Windows\explorer.exe' **Phase 3: Completed filtering (rules). Rule id: '184666' Level: '12' Description: 'Sysmon - Suspicious Process - svchost.exe' You can find decoders for all sysmon events here <https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/decoders/windows_decoders.xml#L197> . Regards. On Monday, August 1, 2016 at 9:46:31 AM UTC+2, Jesus Linares wrote: > > Hi Craig, > > the raw event is: > 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: > INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64- > PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 > ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 > Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ > administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- > 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 > IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 > ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId > : 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\ > Windows\Explorer.EXE > > but, OSSEC adds a header in archives.log: > > *2016 Jul 29 22:32:25 (WIN7-X64-PC1) 172.16.213.5->WinEvtLog *2016 Jul 29 > 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): > Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local: > Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid: {67C360F4- > 1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image: C:\Users\ > administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ > administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- > 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 > IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 > ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId > : 3056 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\ > Windows\Explorer.EXE > > > So, you must always use *ossec-logtest* without headers: > 2016 Jul 29 22:32:24 WinEvtLog: Microsoft-Windows-Sysmon/Operational: > INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64- > PC1.hackme.local: Process Create: UtcTime: 2016-07-30 03:32:24.846 > ProcessGuid: {67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 > Image: C:\Users\administrator\Desktop\svchost.exe CommandLine: > "C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory: C:\Users\ > administrator\Desktop\ User: HACKME\Administrator LogonGuid: {67C360F4- > 1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b TerminalSessionId: 1 > IntegrityLevel: High Hashes: MD5=C019D10F80409FC4C7D45EBFA48B0076 > ParentProcessGuid: {67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId > : 3056<sp > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.