Here is an updated Windows decoder that I have been using. I haven't
released it officially yet since it hasn't been fully tested. Give it a
try:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
</decoder>
<!-- prematch on Security log when decoding IPs to reduce log injection
risk-->
<decoder name="windows-security">
<type>windows</type>
<parent>windows</parent>
<prematch offset="after_parent">Security: </prematch>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
<decoder name="windows-security">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_regex">Source Network Address:
(\d+.\d+.\d+.\d+)\s+Source Port: (\d+)</regex>
<order>srcip, srcport</order>
</decoder>
<decoder name="windows-security">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_regex">orkstation\s*\w*:
\\\\(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="windows-security">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_regex">Client Address: (\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="windows-general">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
On 02.10.2013 08:02, dan (ddp) wrote:
<decoder name="win2k3beta-1">
<parent>windows</parent>
<prematch>Security: </prematch>
<regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+:
(\S+): </rege
x>
<order>status, id, extra_data, system_name</order>
</decoder>
<decoder name="win2k3beta-1">
<parent>windows</parent>
<regex>Caller User Name: (\S+) </regex>
<order>user</order>
</decoder>
On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré
<[email protected]> wrote:
Hi guys,
Here is my Custom decoder.
*****************************************************************************
<decoder name=”win2003beta-1”>
<parent>windows</parent>
<prematch offset=”after_parent”>Security: (\w+)\((\d+)\):
</prematch>
<regex>Security: </regex>
<regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex>
<regex>Caller User Name:\s+(\w+)</regex>
<order>status, id, system_name, extra_data, user</order>
**********************************************************************************
I need to catch the username in "Caller User Name" field
When i put this in logtest, the decoder doesn't match nothing!.
Is the decoder correctly?
This is the log:
WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX:
XXXXXXXXX:
User Account Changed: Target Account Name: XXXXX
Target
Domain: XXXXXXXXXX Target Account ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User
Name: USER
Caller Domain: XXXXXXXXXXX Caller Logon ID:
XXXXXXXXXXXXXXXX
Privileges: - Changed Attributes: Sam Account
Name: -
Display Name: - User Principal Name: - Home
Directory: - Home Drive: - Script Path: -
Profile Path: - User Workstations: -
Password
Last Set: 10/1/2013 4:01:12 PM Account Expires: -
Primary Group ID: - AllowedToDelegateTo: -
Old
UAC Value: - New UAC Value: - User
Account
Control: - User Parameters: - Sid History: -
Logon Hours: -
Please help, and apologies for my bad english.
Regards
--
---
You received this message because you are subscribed to the Google
Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it,
send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
