On Wed, Oct 2, 2013 at 11:51 AM, Leonel Algaré <[email protected]> wrote: > Hi dan > > Thank you !! > > Now it works. > > But i have another problem. > > I wrote 2 decoders. One for 2003/2k and other for 2008. > > they do not work when both are in local_decoder.xml at the same time. > > Here are my decoders: > > <decoder name="windows-03"> > > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>\.+: \.+: (\S+): </regex> > > <order>status, id, extra_data, system_name</order> > <fts>name, location, system_name</fts> > </decoder> > > <decoder name="windows-03"> > > <type>windows</type> > <parent>windows</parent> > <regex offset="after_regex">Caller User Name: (\S+)</regex> > <order>user</order> > </decoder> > > > <decoder name="windows-08"> > > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>\.+: \.+: (\S+): </regex> > > <order>status, id, extra_data, system_name</order> > <fts>name, location, system_name</fts> > </decoder> > > > <decoder name="windows-08"> > > <type>windows</type> > <parent>windows</parent> > <regex>Account Name:\s\t\t\s(\S+)</regex> > <order>user</order> > </decoder> > > > And other problem was sometimes logs arrives in different format, EXAMPLE: > > WinEvtLog: Security: AUDIT_SUCCESS(4733): > Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXX: A member > was removed from a security-enabled local group. Subject: Security ID: > XXXXXXXXXXXXXXXXX Account Name: USER Account Domain: XXXXXX Logon ID: > XXXXXX Member: Security ID: XXXXXXXXXX Account Name: - Group: > Security ID: XXXXXXXXXXXX Group Name: Administrators Group Domain: > Builtin Additional Information: Privileges: - > > > > WinEvtLog: Security: AUDIT_SUCCESS(4725): > Microsoft-Windows-Security-Auditing: (no user): no domain: > xxxxxxxxxxxxxxxxxx: A user account was disabled. Subject: > Security ID: XXXXXXXXXXXXXXXXXXXXXXXX Account Name: > USER Account Domain: XXXXXXXXXXXXX Logon ID: > XXXXXXXXXXXXXX Target Account: Security ID: > XXXXXXXXXXXXXXXXXX Account Name: LNKI766$ > Account Domain: XXXXXXXXXXXXXX > > > > > This ultimate log show "Account Name" field. with spaces and tabs. and the > first log not!. > What can i do to match both them? >
You could try "Account Name:\s+(\S+) " Not sure how well that will work, and it can make the regex totally unreadable. You should also call Microsoft and tell them to fix their logs. :P > > Regards, > > > El miércoles, 2 de octubre de 2013 10:02:47 UTC-3, dan (ddpbsd) escribió: >> >> <decoder name="win2k3beta-1"> >> <parent>windows</parent> >> <prematch>Security: </prematch> >> <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+: >> (\S+): </rege >> x> >> <order>status, id, extra_data, system_name</order> >> </decoder> >> >> <decoder name="win2k3beta-1"> >> <parent>windows</parent> >> <regex>Caller User Name: (\S+) </regex> >> <order>user</order> >> </decoder> >> >> >> >> On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré <[email protected]> wrote: >> > Hi guys, >> > >> > Here is my Custom decoder. >> > >> > >> > ***************************************************************************** >> > >> > <decoder name=”win2003beta-1”> >> > >> > <parent>windows</parent> >> > >> > <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch> >> > >> > <regex>Security: </regex> >> > >> > <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex> >> > >> > <regex>Caller User Name:\s+(\w+)</regex> >> > >> > <order>status, id, system_name, extra_data, user</order> >> > >> > >> > ********************************************************************************** >> > >> > I need to catch the username in "Caller User Name" field >> > >> > >> > When i put this in logtest, the decoder doesn't match nothing!. >> > >> > >> > Is the decoder correctly? >> > >> > This is the log: >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: >> > XXXXXXXXX: >> > User Account Changed: Target Account Name: XXXXX >> > Target >> > Domain: XXXXXXXXXX Target Account ID: >> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User Name: >> > USER >> > Caller Domain: XXXXXXXXXXX Caller Logon ID: XXXXXXXXXXXXXXXX >> > Privileges: - Changed Attributes: Sam Account Name: - >> > Display Name: - User Principal Name: - Home >> > Directory: - Home Drive: - Script Path: - >> > Profile Path: - User Workstations: - Password >> > Last Set: 10/1/2013 4:01:12 PM Account Expires: - >> > Primary Group ID: - AllowedToDelegateTo: - >> > Old >> > UAC Value: - New UAC Value: - User Account >> > Control: - User Parameters: - Sid History: - >> > Logon Hours: - >> > >> > >> > Please help, and apologies for my bad english. >> > >> > >> > Regards >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
