I solve my problem with this solution https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification
<decoder name="windows"> <type>windows</type> <prematch>^WinEvtLog: </prematch> </decoder> <decoder name="windows-default"> <parent>windows</parent> <type>windows</type> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, srcuser, system_name</order> <fts>name, location, user, system_name</fts> </decoder> <!-- And adding some IP/name extractions --> <decoder name="windows-default"> <parent>windows</parent> <type>windows</type> <regex offset="after_parent">Client Address:\s*\t*(\d+.\d+.\d+.\d+)</regex> <order>srcip</order> </decoder> I'm trying other solution, but this don't parse well <decoder name="windows-675"> <type>windows</type> <parent>windows</parent> <prematch offset="after_parent">^\.+: (\w+)\((675)\):</prematch> <regex offset="after_parent">^\.+: (\w+)\((675)\): \.+: \.+: \.+: (\S+): \.+: \.+: (\S+)</regex> <order>status, id, system_name, srcuser</order> </decoder> <decoder name="windows-675"> <type>windows</type> <parent>windows</parent> <regex offset="after_parent">Client Address: (\d+.\d+.\d+.\d+)</regex> <order>srcip</order> </decoder> El jueves, 2 de marzo de 2017, 19:58:30 (UTC+1), dan (ddpbsd) escribió: > > It continues to work with a fresh install of MASTER > **Phase 1: Completed pre-decoding. > full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > no domain: WK034.dom.com: The Windows Filtering Platform blocked a > packet. Application Information: Process ID: 0 Application Name: - > Network Information: Direction: %%14592 Source Address: 10.20.10.55 > Source Port: 55666 Destination Address: 255.255.255.255 Destination > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > Layer Name: %%14597 Layer Run-Time ID: 13' > hostname: 'ossec-test2' > program_name: 'WinEvtLog' > log: 'Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user): no domain: > WK034.dom.com: The Windows Filtering Platform blocked a packet. > Application Information: Process ID: 0 Application Name: - Network > Information: Direction: %%14592 Source Address: 10.20.10.55 Source > Port: 55666 Destination Address: 255.255.255.255 Destination Port: > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > Name: %%14597 Layer Run-Time ID: 13' > > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_FAILURE' > id: '5152' > extra_data: 'Microsoft-Windows-Security-Auditing' > dstuser: '(no user)' > system_name: 'WK034.dom.com' > srcip: '10.20.10.55' > > **Phase 3: Completed filtering (rules). > Rule id: '18105' > Level: '4' > Description: 'Windows audit failure event.' > **Alert to be generated. > > On Thu, Mar 2, 2017 at 12:32 PM, dan (ddp) <ddp...@gmail.com <javascript:>> > wrote: > > On Thu, Mar 2, 2017 at 6:41 AM, Casimiro <hfba...@gmail.com > <javascript:>> wrote: > >> Thanks. > >> But don't work. It only decode srcip field. Attach the output: > >> > >> **Phase 1: Completed pre-decoding. > >> full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: > WK034.dom.com: > >> The Windows Filtering Platform blocked a packet. Application > Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> hostname: 'USMCyberRange' > >> program_name: '(null)' > >> log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > >> Microsoft-Windows-Security-Auditing: (no user): no domain: WK34.dom.com: > The > >> Windows Filtering Platform blocked a packet. Application Information: > >> Process ID: 0 Application Name: - Network Information: Direction: > %%14592 > >> Source Address: 10.20.10.55 Source Port: 55666 Destination Address: > >> 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: > >> Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' > >> > >> **Phase 2: Completed decoding. > >> decoder: 'windows' > >> srcip: '10.20.10.55' > >> > >> **Rule debugging: > >> Trying rule: 6 - Generic template for all windows rules. > >> *Rule 6 matched. > >> *Trying child rules. > >> Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. > >> Trying rule: 18100 - Group of windows rules. > >> *Rule 18100 matched. > >> *Trying child rules. > >> Trying rule: 18101 - Windows informational event. > >> Trying rule: 18102 - Windows warning event. > >> Trying rule: 18104 - Windows audit success event. > >> Trying rule: 18103 - Windows error event. > >> Trying rule: 18105 - Windows audit failure event. > >> > >> **Phase 3: Completed filtering (rules). > >> Rule id: '18100' > >> Level: '0' > >> Description: 'Group of windows rules.' > >> > >> So, the original fields of decoder has been erased (status, id, > extra_data, > >> srcuser, system_name, name, location, user, system_name). The > consecuence is > >> that orginal rules don't match. > >> > > > > That's strange, it works for me (I had to add the timestamp info): > > **Phase 1: Completed pre-decoding. > > full event: 'Mar 2 11:17:01 ossec-test WinEvtLog: Security: > > AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): > > no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked > > a packet. Application Information: Process ID: 0 Application Name: - > > Network Information: Direction: %%14592 Source Address: 10.20.10.55 > > Source Port: 55666 Destination Address: 255.255.255.255 Destination > > Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 > > Layer Name: %%14597 Layer Run-Time ID: 13' > > hostname: 'ossec-test' > > program_name: 'WinEvtLog' > > log: 'Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. > > Application Information: Process ID: 0 Application Name: - Network > > Information: Direction: %%14592 Source Address: 10.20.10.55 Source > > Port: 55666 Destination Address: 255.255.255.255 Destination Port: > > 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer > > Name: %%14597 Layer Run-Time ID: 13' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > status: 'AUDIT_FAILURE' > > id: '5152' > > extra_data: 'Microsoft-Windows-Security-Auditing' > > dstuser: '(no user)' > > system_name: 'WKSUSR034.mccd.def' > > srcip: '10.20.10.55' > > > > **Phase 3: Completed filtering (rules). > > Rule id: '18105' > > Level: '4' > > Description: 'Windows audit failure event.' > > **Alert to be generated. > > > > Are you sure you have the latest Windows decoders? I'll try firing up > > another image and try again. > > > > > >> El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: > >>> > >>> I'm trying to override the windows decoder to extract more fields (in > >>> local_decoder.xml), like source ip, destination ip, source port, > >>> > >>> This is my local decoder for windows > >>> > >>> <decoder name="windows-audit"> > >>> <parent>windows</parent> > >>> <prematch>AUDIT_FAILURE(51512)</prematch> > >>> <regex offset="after_parent">Source > >>> Address:\s+(\d+.\d+.\d+.\d+)</regex> > >>> <order>srcip</order> > >>> </decoder> > >>> > >>> When I put new decoder en local_decoder.xml. The windows log don't > match > >>> with windows parent decoder. If I take off the local decoder then log > match > >>> with windows parent decoder. > >>> > >>> I want to get all fields: parent fields + soon fields (in this case > >>> status, id, extra_data, srcuser, system_name and srcip) > >>> > >>> Thanks in advanced > >>> > >>> > >>> > >>> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to ossec-list+...@googlegroups.com <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.