Noob alert!! I need to make a match with the underlied string within the following log entry (this is an MSSQL Audit event which captures a SELECT command upon a specific table within a given database):
2013 Jun 18 10:34:39 (Win2008-Eval) 10.0.0.9->WinEvtLog WinEvtLog: Application: AUDIT_SUCCESS(33205): MSSQLSERVER: (no user): no domain: WIN-C9JIP9A4KU1: Audit event: event_time:2013-06-18 09:38:02.1701266 sequence_number:1 action_id:SL succeeded:true is_column_permission:true session_id:58 server_principal_id:266 database_principal_id:6 target_server_principal_id:0 target_database_principal_id:0 object_id:869578136 user_defined_event_id:0 class_type:U permission_bitmask:00000000000000000000000000000001 *session_server_principal_name:cr3vm2* server_principal_name:cr3vm2 server_principal_sid:64f982f76fd3cc4aa0b3dc58684bab6e database_principal_name:cr3vm2 target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:WIN-C9JIP9A4KU1 database_name:AdventureWorks2012 schema_name:Sales object_name:CreditCard statement:select top 50 * from Sales.CreditCard additional_information: user_defined_information: In order to make a match with that string, do I need to write a decoder that contains a prematch tag with a regular expression for all the 4 lines that precede that string? Thanks, G. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
