On Wed, Oct 2, 2013 at 11:51 AM, Leonel Algaré <[email protected]> wrote:
> Hi dan
>
> Thank you !!
>
> Now it works.
>
> But i have another problem.
>
> I wrote 2 decoders. One for 2003/2k and other for 2008.
>
> they do not work when both are in local_decoder.xml at the same time.
>
> Here are my decoders:
>
> <decoder name="windows-03">
>
>         <type>windows</type>
>         <parent>windows</parent>
>         <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>         <regex>\.+: \.+: (\S+): </regex>
>
>         <order>status, id, extra_data, system_name</order>
>         <fts>name, location, system_name</fts>
> </decoder>
>
> <decoder name="windows-03">
>
>         <type>windows</type>
>         <parent>windows</parent>
>         <regex offset="after_regex">Caller User Name: (\S+)</regex>
>         <order>user</order>
> </decoder>
>
>
> <decoder name="windows-08">
>
>         <type>windows</type>
>         <parent>windows</parent>
>         <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>         <regex>\.+: \.+: (\S+): </regex>
>
>         <order>status, id, extra_data, system_name</order>
>         <fts>name, location, system_name</fts>
> </decoder>
>
>
> <decoder name="windows-08">
>
>         <type>windows</type>
>         <parent>windows</parent>
>         <regex>Account Name:\s\t\t\s(\S+)</regex>
>         <order>user</order>
> </decoder>
>
>
> And other problem was sometimes logs arrives in different format, EXAMPLE:
>
> WinEvtLog: Security: AUDIT_SUCCESS(4733):
> Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXX: A member
> was removed from a security-enabled local group. Subject:  Security ID:
> XXXXXXXXXXXXXXXXX  Account Name: USER  Account Domain:  XXXXXX  Logon ID:
> XXXXXX  Member:  Security ID:  XXXXXXXXXX  Account Name:  -  Group:
> Security ID:  XXXXXXXXXXXX Group Name:  Administrators  Group Domain:
> Builtin  Additional Information:  Privileges:  -
>
>
>
> WinEvtLog: Security: AUDIT_SUCCESS(4725):
> Microsoft-Windows-Security-Auditing: (no user): no domain:
> xxxxxxxxxxxxxxxxxx: A user account was disabled.    Subject:
> Security ID:         XXXXXXXXXXXXXXXXXXXXXXXX               Account Name:
> USER             Account Domain:         XXXXXXXXXXXXX         Logon ID:
> XXXXXXXXXXXXXX    Target Account:            Security ID:
> XXXXXXXXXXXXXXXXXX          Account Name:           LNKI766$
> Account Domain:              XXXXXXXXXXXXXX
>
>
>
>
> This ultimate log show "Account Name" field. with spaces and tabs. and the
> first log not!.
> What can i do to match both them?
>

You could try "Account Name:\s+(\S+) " Not sure how well that will
work, and it can make the regex totally unreadable.

You should also call Microsoft and tell them to fix their logs. :P

>
> Regards,
>
>
> El miércoles, 2 de octubre de 2013 10:02:47 UTC-3, dan (ddpbsd) escribió:
>>
>> <decoder name="win2k3beta-1">
>>   <parent>windows</parent>
>>   <prematch>Security: </prematch>
>>     <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+:
>> (\S+): </rege
>> x>
>>   <order>status, id, extra_data, system_name</order>
>> </decoder>
>>
>> <decoder name="win2k3beta-1">
>>   <parent>windows</parent>
>>   <regex>Caller User Name: (\S+) </regex>
>>   <order>user</order>
>> </decoder>
>>
>>
>>
>> On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré <[email protected]> wrote:
>> > Hi guys,
>> >
>> > Here is my Custom decoder.
>> >
>> >
>> > *****************************************************************************
>> >
>> > <decoder name=”win2003beta-1”>
>> >
>> > <parent>windows</parent>
>> >
>> > <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch>
>> >
>> > <regex>Security: </regex>
>> >
>> > <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex>
>> >
>> > <regex>Caller User Name:\s+(\w+)</regex>
>> >
>> > <order>status, id, system_name, extra_data, user</order>
>> >
>> >
>> > **********************************************************************************
>> >
>> > I need to catch the username in "Caller User Name" field
>> >
>> >
>> > When i put this in logtest, the decoder doesn't match nothing!.
>> >
>> >
>> > Is the decoder correctly?
>> >
>> > This is the log:
>> >
>> > WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX:
>> > XXXXXXXXX:
>> > User Account Changed:                 Target Account Name: XXXXX
>> > Target
>> > Domain: XXXXXXXXXX           Target Account ID:
>> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX             Caller User Name:
>> > USER
>> > Caller Domain: XXXXXXXXXXX           Caller Logon ID: XXXXXXXXXXXXXXXX
>> > Privileges: -    Changed Attributes:                 Sam Account Name: -
>> > Display Name: -              User Principal Name: -             Home
>> > Directory: -            Home Drive: -                Script Path: -
>> > Profile Path: -              User Workstations: -               Password
>> > Last Set: 10/1/2013 4:01:12 PM                Account Expires: -
>> > Primary Group ID: -                AllowedToDelegateTo: -
>> > Old
>> > UAC Value: -             New UAC Value: -                 User Account
>> > Control: -            User Parameters: -           Sid History: -
>> > Logon Hours: -
>> >
>> >
>> > Please help, and apologies for my bad english.
>> >
>> >
>> > Regards
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to