Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-06 Thread dan (ddp)
On Mar 6, 2017 9:51 AM, "Eduardo Reichert Figueiredo" < eduardo.reich...@hotmail.com> wrote: Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? There is no IP information in the syscheck log messages, so there is nothing to print.

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-06 Thread Eduardo Reichert Figueiredo
Hi all, exist possiblity of write source ip address in eventos of integrity check? For the alert display real IP? Em sexta-feira, 3 de março de 2017 15:55:14 UTC-3, dan (ddpbsd) escreveu: > > On Fri, Mar 3, 2017 at 3:04 AM, Casimiro > wrote: > > I solve my problem with

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-03 Thread dan (ddp)
On Fri, Mar 3, 2017 at 3:04 AM, Casimiro wrote: > I solve my problem with this solution > > https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification > > > > windows > ^WinEvtLog: > > > > windows > windows > ^\.+:

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-03 Thread Casimiro
I solve my problem with this solution https://www.alienvault.com/forums/discussion/5962/ossec-plugin-modification windows ^WinEvtLog: windows windows ^\.+: (\w+)\((\d+)\): (\.+): (\.+): \.+: (\S+): status, id, extra_data, srcuser,

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-02 Thread dan (ddp)
It continues to work with a fresh install of MASTER **Phase 1: Completed pre-decoding. full event: 'Mar 2 17:36:50 ossec-test2 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WK034.dom.com: The Windows Filtering Platform blocked a

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-02 Thread dan (ddp)
On Thu, Mar 2, 2017 at 6:41 AM, Casimiro wrote: > Thanks. > But don't work. It only decode srcip field. Attach the output: > > **Phase 1: Completed pre-decoding. >full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: (no user):

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-03-02 Thread Casimiro
Thanks. But don't work. It only decode srcip field. Attach the output: **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet.

Re: [ossec-list] Re: Windows override Audit Events. Decoder

2017-02-21 Thread dan (ddp)
On Mon, Feb 20, 2017 at 6:08 AM, Casimiro wrote: > Version 2.8 > > Events: > > WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows > Filtering Platform blocked a packet. Application Information: Process ID: 0