No, not NTsyslog, but I convinced my IT guys to switch to NTsyslog, so that
helps. I found the decoders.xml file shortly after sending this email.
Thanks for the response.
On Tue, May 20, 2008 at 1:59 PM, Daniel Cid <[EMAIL PROTECTED]> wrote:
>
> Hi Jason,
>
> Are those logs from NTsyslog? They look very similar, except that
> yours is missing the severity of the event (audit
> success, informational, error, etc).
>
> Your log:
> Security: 538: DOMAIN\joeuser: User Logoff: User Name: joeuser Domain:
> DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7
>
> NTsyslog:
> security[success] 528 Domain/user Successful Logon: User Name:user
> Domain:Domain Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon
> Process:User32 Authentication Package:Negotiate Workstation
> Name:Domain Logon GUID: {00000000-0000-0000-0000-000000000000}
>
> You can easily extract any information you want by adding (or
> modifying) any of the decoders at /var/ossec/etc/decoders.xml .
> However, you might want to change your log format to have the severity
> in them, since some event ids have two error codes (failure or
> success) and you wouldn't know it...
>
> Hope it helps.
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On Fri, May 16, 2008 at 12:07 PM, Jason Fischer <[EMAIL PROTECTED]>
> wrote:
> > I'm reading some alerts out of a syslog from a remote windows box. OSSEC
> is
> > not parsing the srcIP or username info out of the syslog entry. Is there
> > anyway to have this set by parsing it out within the rule? Here is an
> > example syslog entry:
> >
> > May 16 10:00:04 10.0.0.2 Security: 538: DOMAIN\joeuser: User Logoff:
> User
> > Name: joeuser Domain: DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7
> >
> > I know this would be a lot easier if I just used the windows agent. That
> may
> > not be an option, so that's why I'm exploring the syslog avenue.
> >
>
