Hi Jason,
Are those logs from NTsyslog? They look very similar, except that
yours is missing the severity of the event (audit
success, informational, error, etc).
Your log:
Security: 538: DOMAIN\joeuser: User Logoff: User Name: joeuser Domain:
DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7
NTsyslog:
security[success] 528 Domain/user Successful Logon: User Name:user
Domain:Domain Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon
Process:User32 Authentication Package:Negotiate Workstation
Name:Domain Logon GUID: {00000000-0000-0000-0000-000000000000}
You can easily extract any information you want by adding (or
modifying) any of the decoders at /var/ossec/etc/decoders.xml .
However, you might want to change your log format to have the severity
in them, since some event ids have two error codes (failure or
success) and you wouldn't know it...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, May 16, 2008 at 12:07 PM, Jason Fischer <[EMAIL PROTECTED]> wrote:
> I'm reading some alerts out of a syslog from a remote windows box. OSSEC is
> not parsing the srcIP or username info out of the syslog entry. Is there
> anyway to have this set by parsing it out within the rule? Here is an
> example syslog entry:
>
> May 16 10:00:04 10.0.0.2 Security: 538: DOMAIN\joeuser: User Logoff: User
> Name: joeuser Domain: DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7
>
> I know this would be a lot easier if I just used the windows agent. That may
> not be an option, so that's why I'm exploring the syslog avenue.
>
