Hi guys,
Here is my Custom decoder.
*****************************************************************************
<decoder name=”win2003beta-1”>
<parent>windows</parent>
<prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch>
<regex>Security: </regex>
<regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex>
<regex>Caller User Name:\s+(\w+)</regex>
<order>status, id, system_name, extra_data, user</order>
**********************************************************************************
I need to catch the username in "Caller User Name" field
When i put this in logtest, the decoder doesn't match nothing!.
Is the decoder correctly?
This is the log:
WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: XXXXXXXXX:
User Account Changed: Target Account Name: XXXXX Target
Domain: XXXXXXXXXX Target Account ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User Name: USER
Caller Domain: XXXXXXXXXXX Caller Logon ID: XXXXXXXXXXXXXXXX
Privileges: - Changed Attributes: Sam Account Name: -
Display Name: - User Principal Name: - Home
Directory: - Home Drive: - Script Path: -
Profile Path: - User Workstations: - Password
Last Set: 10/1/2013 4:01:12 PM Account Expires: -
Primary
Group ID: - AllowedToDelegateTo: - Old UAC
Value: - New UAC Value: - User Account Control:
- User Parameters: - Sid History: - Logon
Hours: -
Please help, and apologies for my bad english.
Regards
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
