Hello everyone,
I have updated the Windows decoder to extract the src ip for all of the
relevant authentication logs I could find. I tested it on non-domain
member logs from Windows 2000 and 2003, but not Vista, Windows 2008 or
Windows 7. I was hoping for some help in testing to speed up development.
The decoder is here: http://pastebin.com/8Rp6eu2t
To try it out, you'll need to use the OSSEC 2.6 beta and you'll need to
comment out the windows decoder in decoder.xml. Put this decoder in
local_decoder.xml.
Please comment on the following:
-Does everything that did work before still work? *This is the most
important thing*
-Does it decode the IP properly where necessary?
-Does it decode the IP in Vista, Windows 2008 and Windows 7? If not,
please provide some sanitized log samples so I can update it.
Thanks for the help.
