hi i have ossec manager 2.9.2 on ubuntu and ossec agent on windows v2.9.0. sysmon installed and has been configured, and for example i tried to acces powershell, agent's log. so I tried to use ossec-logtest and have result :
**Phase 1: Completed pre-decoding. full event: '2017 Sep 28 11:15:28 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid: {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId: 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' hostname: 'ubuntu' program_name: 'WinEvtLog' log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: IE11Win7: Process Create: UtcTime: 2017-09-28 04:15:28.884 ProcessGuid: {6B166207-7760-59CC-0000-0010F1E00800} ProcessId: 732 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe CommandLine: "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" CurrentDirectory: C:\Windows\system32\ User: IE11WIN7\IEUser LogonGuid: {6B166207-76B9-59CC-0000-0020FDE40100} LogonId: 0x1e4fd TerminalSessionId: 1 IntegrityLevel: High Hashes: MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7 ParentProcessGuid: {6B166207-76E1-59CC-0000-0010BA5F0600} ParentProcessId: 2920 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE' **Phase 2: Completed decoding. *decoder: 'windows'* status: 'INFORMATION' id: '1' extra_data: 'Microsoft-Windows-Sysmon' dstuser: 'SYSTEM' system_name: 'IE11Win7' **Phase 3: Completed filtering (rules). Rule id: '99999' Level: '3' Description: 'Windows Rule Triggered' **Alert to be generated. here is sysmon decoder by default: <decoder name="Sysmon-EventID#1"> <type>windows</type> <prematch>INFORMATION\(1\)</prematch> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex> <order>status,user,url,data</order> </decoder> as I know , there is Sysmon decoder and sysmon rules on Ossec 2.9.2 could anyone help me how to fix it so sysmon decoder and sysmon rules is triggered? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.