Re: [ossec-list] Windows Custom decoder Question.

Wed, 02 Oct 2013 06:03:22 -0700 

<decoder name="win2k3beta-1">
  <parent>windows</parent>
  <prematch>Security: </prematch>
    <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+:
(\S+): </rege
x>
  <order>status, id, extra_data, system_name</order>
</decoder>

<decoder name="win2k3beta-1">
  <parent>windows</parent>
  <regex>Caller User Name: (\S+) </regex>
  <order>user</order>
</decoder>



On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré <[email protected]> wrote:
> Hi guys,
>
> Here is my Custom decoder.
>
> *****************************************************************************
>
> <decoder name=”win2003beta-1”>
>
> <parent>windows</parent>
>
> <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch>
>
> <regex>Security: </regex>
>
> <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex>
>
> <regex>Caller User Name:\s+(\w+)</regex>
>
> <order>status, id, system_name, extra_data, user</order>
>
> **********************************************************************************
>
> I need to catch the username in "Caller User Name" field
>
>
> When i put this in logtest, the decoder doesn't match nothing!.
>
>
> Is the decoder correctly?
>
> This is the log:
>
> WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: XXXXXXXXX:
> User Account Changed:                 Target Account Name: XXXXX      Target
> Domain: XXXXXXXXXX           Target Account ID:
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX             Caller User Name: USER
> Caller Domain: XXXXXXXXXXX           Caller Logon ID: XXXXXXXXXXXXXXXX
> Privileges: -    Changed Attributes:                 Sam Account Name: -
> Display Name: -              User Principal Name: -             Home
> Directory: -            Home Drive: -                Script Path: -
> Profile Path: -              User Workstations: -               Password
> Last Set: 10/1/2013 4:01:12 PM                Account Expires: -
> Primary Group ID: -                AllowedToDelegateTo: -              Old
> UAC Value: -             New UAC Value: -                 User Account
> Control: -            User Parameters: -           Sid History: -
> Logon Hours: -
>
>
> Please help, and apologies for my bad english.
>
>
> Regards
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to