I'm working with NTSyslog now, but the log format looks nothing like what the decoder is expecting. Here is a sample:
May 21 13:59:19 10.0.0.1 NT: <Security;F529;NT AUTHORITY\SYSTEM> Logon Failure: Reason:Unknown user name or bad password User Name:joebob Domain:BOBDOMAIN Logon Type:2 Logon Process:Advapi Authentication Package:Negotiate Workstation Name:JOEBOB-LAPTOP Am I using the wrong ntsyslog, or did they change the log format without you guys noticing? I downloaded it from http://ntsyslog.sourceforge.net/ On Tue, May 20, 2008 at 3:35 PM, Jason Fischer <[EMAIL PROTECTED]> wrote: > No, not NTsyslog, but I convinced my IT guys to switch to NTsyslog, so that > helps. I found the decoders.xml file shortly after sending this email. > Thanks for the response. > > > On Tue, May 20, 2008 at 1:59 PM, Daniel Cid <[EMAIL PROTECTED]> wrote: > >> >> Hi Jason, >> >> Are those logs from NTsyslog? They look very similar, except that >> yours is missing the severity of the event (audit >> success, informational, error, etc). >> >> Your log: >> Security: 538: DOMAIN\joeuser: User Logoff: User Name: joeuser Domain: >> DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7 >> >> NTsyslog: >> security[success] 528 Domain/user Successful Logon: User Name:user >> Domain:Domain Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon >> Process:User32 Authentication Package:Negotiate Workstation >> Name:Domain Logon GUID: {00000000-0000-0000-0000-000000000000} >> >> You can easily extract any information you want by adding (or >> modifying) any of the decoders at /var/ossec/etc/decoders.xml . >> However, you might want to change your log format to have the severity >> in them, since some event ids have two error codes (failure or >> success) and you wouldn't know it... >> >> Hope it helps. >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> On Fri, May 16, 2008 at 12:07 PM, Jason Fischer <[EMAIL PROTECTED]> >> wrote: >> > I'm reading some alerts out of a syslog from a remote windows box. OSSEC >> is >> > not parsing the srcIP or username info out of the syslog entry. Is there >> > anyway to have this set by parsing it out within the rule? Here is an >> > example syslog entry: >> > >> > May 16 10:00:04 10.0.0.2 Security: 538: DOMAIN\joeuser: User Logoff: >> User >> > Name: joeuser Domain: DOMAIN Logon ID: (0x0,0x2B7131A) Logon Type: 7 >> > >> > I know this would be a lot easier if I just used the windows agent. That >> may >> > not be an option, so that's why I'm exploring the syslog avenue. >> > >> > >
