I'm reading some alerts out of a syslog from a remote windows box. OSSEC is not parsing the srcIP or username info out of the syslog entry. Is there anyway to have this set by parsing it out within the rule? Here is an example syslog entry:
May 16 10:00:04 10.0.0.2 Security: 538: DOMAIN\joeuser: User Logoff: User Name: joeuser Domain: DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7 I know this would be a lot easier if I just used the windows agent. That may not be an option, so that's why I'm exploring the syslog avenue.
