On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote:
> There is a decoder that isn't quite handling some log entries the want I
> need. I want to augment an existing decoder, but apparently I'm not doing
> this correctly.
> Here's an example log entry:
> 2017 Jul 03 11:17:37
On Mon, Jul 3, 2017 at 6:10 AM, Fredrik Hilmersson
wrote:
> Hello,
>
> Lets say I have a script which runs once every half an hour. With a latency
> difference in about 10-20 seconds.
> Would it be possible to match the following:
>
> 1. Time
> 2. Hostname
> 3.
On Mon, Jul 3, 2017 at 11:28 AM, Ian Brown wrote:
> I believe I've figured it out -- I think the decoder isn't matching the full
> log string and is thus stripping the ip address information. Also after
> looking at the regex in the decoder, I've discovered that it doesn't
On Mon, Jul 3, 2017 at 2:28 AM, Ian Brown wrote:
> I've got this event log in windows:
>
> 2017 Jul 02 22:38:47 WinEvtLog: Security: AUDIT_FAILURE(5152):
> Microsoft-Windows-Security-Auditing: (no user): no domain: leaf-1: The
> Windows Filtering Platform blocked a packet.
On Wed, Jul 5, 2017 at 12:52 AM, Tunguyen wrote:
> Hi everyone, here is my ossec.conf on the server:
>
>
>
> firewall-drop
> server,all
> 31152
> 600
> 30,60,90,120,150
>
>
> rule 31152 is:
>
>
> 31103
>
> Multiple SQL
On Wed, Jul 5, 2017 at 11:41 AM, Bob Boklewski
wrote:
> Also, what does the "if_sid" match too? I am trying to understand how to
> create custom rules and it seems this "if_sid" is unique and defined
> somewhere. I see that rule id and description can be whatever
On Wed, Jul 5, 2017 at 11:27 AM, Bob Boklewski
wrote:
> In the OSSEC.conf file I have level 3 logging set. I can't seem to get this
> rule to fire that is a predefined rule in the msauth_rules.xml file. I can
> see in the windows log event id: 4624, but it won't
Also, what does the "if_sid" match too? I am trying to understand how to
create custom rules and it seems this "if_sid" is unique and defined
somewhere. I see that rule id and description can be whatever you want and
"id" is the event id number you want to monitor. Any help is much
In the OSSEC.conf file I have level 3 logging set. I can't seem to get
this rule to fire that is a predefined rule in the msauth_rules.xml file.
I can see in the windows log event id: 4624, but it won't fire.
18104
^528$|^540$|^673$|^4624$|^4769$
Windows Logon Success.