Perfect. You found the source of my cumulative problems. Thanks
Summary: So I had 2 'issues': 1. Syslog format (duplicate host, IP and Name) - Must *CHECK* "Enable SYSLOG Header?" in Snare. - p22 2. Wrong supported separator format ";" versus TAB (for Ossec) - p23 More technical details and response in this RTFM ( http://www.snare-server.com/docs/Guide_to_Snare_for_Windows-2.8.pdf ) Nota . Appendix C of the .pdf - "Objectives and security event IDs" is really interesting. *Thanks all for your help.* Kind regards Js. On Dec 29, 9:31 pm, Christopher Moraes <[email protected]> wrote: > Hi, > > On Tue, Dec 28, 2010 at 5:53 AM, Js Opdebeeck <[email protected]> > > wrote: > > > Dec 28 06:54:36 1.1.1.1 MSWinEventLog;1;Security;23875316;Tue: Dec 28 > > 06:54:34 2010;680;Security;DOMAINUSER;User;Success > > Audit;ADSERVER;Account Logon;;Logon attempt by: > > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: DOMAINUSER > > Source Workstation: DOMAINSTATION Error Code: 0x0 ; > > 23866818 > > The field separator that SNARE is using is ";". The OSSEC decoder expects > it to be a tab character. There should be some setting in SNARE that will > allow you to change it to the tab character. > > Regards, > Chris
