Hi Daniel,
Thanks for the info. I've attached a few samples
for you to look at. These are in NTSyslog format.
Thanks,
Jeremy
--- Daniel Cid <[EMAIL PROTECTED]> wrote:
>
> Hi Jeremy,
>
> We currently do not have it. Actually, we don't even
> need to add any
> rules, just a
> decoder to extract the information we need (user,
> ids, sources, etc). Do you
> have a few log samples to share with us? We can
> certainly add support for
> them without too much work...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 11/1/06, Jeremy Lee <[EMAIL PROTECTED]> wrote:
> >
> > Hi all,
> > Just curious if there's a rule that exists which
> > parses for files containing Windows Event Log
> entries
> > stored in text format/Syslog (by use of programs
> such
> > as NTSyslog) on a Unix server.
> >
> >
> > Thanks,
> > Jeremy
> >
>
Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee
Privileged Service Called: Server:Security Service:- Primary User
Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client
User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F)
Privileges:SeSecurityPrivilege
Oct 31 18:02:37 192.168.1.100 security[success] 680 NT AUTHORITY\SYSTEM Logon
attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Jeremy Lee
Source Workstation: IBM17M Error Code: 0x0
Oct 31 18:02:37 192.168.1.100 security[success] 528 IBM17M\Jeremy Lee
Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon
ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication
Package:Negotiate Workstation Name:IBM17M Logon GUID:
{00000000-0000-0000-0000-000000000000}
Oct 31 18:02:37 192.168.1.100 security[success] 576 IBM17M\Jeremy Lee Special
privileges assigned to new logon: User Name: Domain: Logon
ID:(0x0,0x3A2E471) Privileges: SeChangeNotifyPrivilege SeBackupPrivilege
SeRestorePrivilege SeDebugPrivilege
Oct 31 18:02:39 192.168.1.100 security[success] 682 NT AUTHORITY\SYSTEM
Session reconnected to winstation: User Name:Jeremy Lee Domain:IBM17M Logon
ID:(0x0,0x1F5A9C) Session Name:Console Client Name:Unknown Client
Address:Unknown
Oct 31 18:02:39 192.168.1.100 security[success] 538 IBM17M\Jeremy Lee User
Logoff: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon
Type:2
Nov 2 17:23:16 192.168.1.100 security[failure] 680 NT AUTHORITY\SYSTEM Logon
attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: Jeremy Lee
Source Workstation: IBM17M Error Code: 0xC000006A
Nov 2 17:23:16 192.168.1.100 security[failure] 529 NT AUTHORITY\SYSTEM Logon
Failure: Reason:Unknown user name or bad password User Name:Jeremy Lee
Domain:IBM17M Logon Type:2 Logon Process:User32 Authentication
Package:Negotiate Workstation Name:IBM17M
