You could turn on the <log_all> option to check if the full event is being received. I don't know much about Windows events, but I'm wondering if the number in "AUDIT_SUCCESS(33205)" is unique to an authentication success or if it is unique per log event. If it's a logon successful type of ID, it might be useful in your rule.
2010/7/15 Branimir Pačar <[email protected]>: > Hi, > > > > I've created a new rule for monitoring logon actions on SQL Server 2008. OS > is Windows Server 2008. I'm using OSSEC server/agent 2.3 > > > > Here is rule: > > > > <rule id="101041" level="3"> > > <if_sid>18104</if_sid> > > <id>^33205</id> > > <description>MS SQL Server 2008 Logon Success.</description> > > <group>authentication_success,</group> > > </rule> > > > > Problem occurs when log is processed. I get alert that there was successful > logon, but full log entry isn't complete. This is part of log that is > processed: > > > > WinEvtLog: Security: AUDIT_SUCCESS(33205): MSSQLSERVER$AUDIT: someUser: XXX: > location: event_time:2010-07-14 13:23:01.4242722 > > > > As you can see I miss all additional data from event log that I can see > trough event viewer like database name, object, statement ... I don't know how > ossec extracts and parses logs from event log, but I think that problem may > be there. > > Thing is that on other system where SQL Server 2008 is installed on Windows > Server 2003 I get full log with all additional info. But this lack of > information only happens if SQL Server 2008 is installed on Windows Server > 2008. > > Could it be that when agent collects and parses (or however it extracts data > from event log) it does not compile log to one line but leaves it as > multiple line and than ossec treats it like two or more logs. To confirm my > doubts I have created another decoder and rule that would trigger on part of > log that is supposed to go after this first part of log. > > > > For example this is event log: > > > > TimeGenerated: 5/19/2008 9:23:31 PM > > EntryType: SuccessAudit > > EventID: 33205 > > Message:Audit event: event_time:2008-05-20 02:23:30.8759296 > > sequence_number:1 > > action_id:G > > succeeded:true > > permission_bitmask:4194304 > > ...... > > > > First part of log (till sequence number) is decoded and it triggers rule, so > i created decoder for sequence number part of log (that i believe is treated > as another log). Here is new decoder and rule > > > > <decoder name="SQL2008test"> > > <prematch>sequence_number</prematch> > > <regex offset="after_prematch">:(\d) \.*</regex> > > <order>id</order> > > </decoder> > > > > Id is for me to test something. > > > > <rule id="xxxxxx" level="1"> > > <decoded_as>SQL2008test</decoded_as> > > <description>Rest of SQL 2008 log!</description> > > </rule> > > > > After restart I had alerts that triggered on following log: > sequence_number:1 > > > > So that is why I think that agent is not proccesing event logs in right way. > But if I'm wrong and it is not problem in version 2.3, could someone, please > help me solve the problem. > > > > Thank you, > > Branimir > > > > > >
