Here is an updated Windows decoder that I have been using. I haven't released it officially yet since it hasn't been fully tested. Give it a try:

<decoder name="windows">
  <type>windows</type>
  <prematch>^WinEvtLog: </prematch>
</decoder>

<!-- prematch on Security log when decoding IPs to reduce log injection risk-->
<decoder name="windows-security">
  <type>windows</type>
  <parent>windows</parent>
  <prematch offset="after_parent">Security: </prematch>
  <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
  <regex>(\.+): \.+: (\S+): </regex>
  <order>status, id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

<decoder name="windows-security">
  <type>windows</type>
  <parent>windows</parent>
<regex offset="after_regex">Source Network Address: (\d+.\d+.\d+.\d+)\s+Source Port: (\d+)</regex>
  <order>srcip, srcport</order>
</decoder>

<decoder name="windows-security">
  <type>windows</type>
  <parent>windows</parent>
<regex offset="after_regex">orkstation\s*\w*: \\\\(\d+.\d+.\d+.\d+)</regex>
  <order>srcip</order>
</decoder>

<decoder name="windows-security">
  <type>windows</type>
  <parent>windows</parent>
  <regex offset="after_regex">Client Address: (\d+.\d+.\d+.\d+)</regex>
  <order>srcip</order>
</decoder>

<decoder name="windows-general">
  <type>windows</type>
  <parent>windows</parent>
  <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
  <regex>(\.+): \.+: (\S+): </regex>
  <order>status, id, extra_data, user, system_name</order>
  <fts>name, location, user, system_name</fts>
</decoder>

On 02.10.2013 08:02, dan (ddp) wrote:
<decoder name="win2k3beta-1">
  <parent>windows</parent>
  <prematch>Security: </prematch>
    <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+:
(\S+): </rege
x>
  <order>status, id, extra_data, system_name</order>
</decoder>

<decoder name="win2k3beta-1">
  <parent>windows</parent>
  <regex>Caller User Name: (\S+) </regex>
  <order>user</order>
</decoder>



On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré
<[email protected]> wrote:
Hi guys,

Here is my Custom decoder.


*****************************************************************************

<decoder name=”win2003beta-1”>

<parent>windows</parent>

<prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch>

<regex>Security: </regex>

<regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex>

<regex>Caller User Name:\s+(\w+)</regex>

<order>status, id, system_name, extra_data, user</order>


**********************************************************************************

I need to catch the username in "Caller User Name" field


When i put this in logtest, the decoder doesn't match nothing!.


Is the decoder correctly?

This is the log:

WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: XXXXXXXXX: User Account Changed: Target Account Name: XXXXX Target
Domain: XXXXXXXXXX           Target Account ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User Name: USER Caller Domain: XXXXXXXXXXX Caller Logon ID: XXXXXXXXXXXXXXXX Privileges: - Changed Attributes: Sam Account Name: -
Display Name: -              User Principal Name: -             Home
Directory: -            Home Drive: -                Script Path: -
Profile Path: - User Workstations: - Password
Last Set: 10/1/2013 4:01:12 PM                Account Expires: -
Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: - New UAC Value: - User Account
Control: -            User Parameters: -           Sid History: -
Logon Hours: -


Please help, and apologies for my bad english.


Regards

--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

--

--- You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to