[ossec-list] Default windows decoder

Wed, 31 Mar 2010 06:03:25 -0700 

Hi,

All I am trying to use ossec as to monitor some important events in
our windows server environment.

The default decoder for windows events reads:

<decoder name="windows">
  <type>windows</type>
  <prematch>^WinEvtLog: </prematch>
  <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
  <regex>(\.+): \.+: (\S+): </regex>
  <order>status, id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

When I use the log entry below with ossec-logtest, it states no
decoder matches.
Log:
2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog:
System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01:
Citrix Presentation Server has entered the grace period. You have 840
hour(s) remaining before this server stops accepting connections from
client devices.

Logtest output:
2010/03/31 11:57:26 ossec-testrule: INFO: Started (pid: 22656).
ossec-testrule: Type one log per line.

2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog WinEvtLog:
System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01:
Citrix Presentation Server has entered the grace period. You have 840
hour(s) remaining before this server stops accepting connections from
client devices.


**Phase 1: Completed pre-decoding.
       full event: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99-
>WinEvtLog WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no
domain: SERVER01: Citrix Presentation Server has entered the grace
period. You have 840 hour(s) remaining before this server stops
accepting connections from client devices. '
       hostname: 'hzlnx01'
       program_name: '(null)'
       log: '2010 Mar 22 00:44:20 (SERVER01) 99.99.99.99->WinEvtLog
WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain:
SERVER01: Citrix Presentation Server has entered the grace period. You
have 840 hour(s) remaining before this server stops accepting
connections from client devices. '

**Phase 2: Completed decoding.
       No decoder matched.

Some questions:
1. what is wrong with the log? should I create a custom decoder for
it?
2. provided we can solve the above... can i use the fields status, id
etc. in my rules?

Any hints or assistance that lead to my understanding this better wil
be greatly appreciated :)

Bart Van der Avort


-- 
To unsubscribe, reply using "remove me" as the subject.

Reply via email to