Sure Dan... Thanks,
And the other problem? they do not work when both are in local_decoder.xml at the same time. why not? can u help me with that? El miércoles, 2 de octubre de 2013 12:53:46 UTC-3, dan (ddpbsd) escribió: > > On Wed, Oct 2, 2013 at 11:51 AM, Leonel Algaré > <[email protected]<javascript:>> > wrote: > > Hi dan > > > > Thank you !! > > > > Now it works. > > > > But i have another problem. > > > > I wrote 2 decoders. One for 2003/2k and other for 2008. > > > > they do not work when both are in local_decoder.xml at the same time. > > > > Here are my decoders: > > > > <decoder name="windows-03"> > > > > <type>windows</type> > > <parent>windows</parent> > > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): > </regex> > > <regex>\.+: \.+: (\S+): </regex> > > > > <order>status, id, extra_data, system_name</order> > > <fts>name, location, system_name</fts> > > </decoder> > > > > <decoder name="windows-03"> > > > > <type>windows</type> > > <parent>windows</parent> > > <regex offset="after_regex">Caller User Name: (\S+)</regex> > > <order>user</order> > > </decoder> > > > > > > <decoder name="windows-08"> > > > > <type>windows</type> > > <parent>windows</parent> > > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): > </regex> > > <regex>\.+: \.+: (\S+): </regex> > > > > <order>status, id, extra_data, system_name</order> > > <fts>name, location, system_name</fts> > > </decoder> > > > > > > <decoder name="windows-08"> > > > > <type>windows</type> > > <parent>windows</parent> > > <regex>Account Name:\s\t\t\s(\S+)</regex> > > <order>user</order> > > </decoder> > > > > > > And other problem was sometimes logs arrives in different format, > EXAMPLE: > > > > WinEvtLog: Security: AUDIT_SUCCESS(4733): > > Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXX: A > member > > was removed from a security-enabled local group. Subject: Security ID: > > XXXXXXXXXXXXXXXXX Account Name: USER Account Domain: XXXXXX Logon > ID: > > XXXXXX Member: Security ID: XXXXXXXXXX Account Name: - Group: > > Security ID: XXXXXXXXXXXX Group Name: Administrators Group Domain: > > Builtin Additional Information: Privileges: - > > > > > > > > WinEvtLog: Security: AUDIT_SUCCESS(4725): > > Microsoft-Windows-Security-Auditing: (no user): no domain: > > xxxxxxxxxxxxxxxxxx: A user account was disabled. Subject: > > Security ID: XXXXXXXXXXXXXXXXXXXXXXXX Account > Name: > > USER Account Domain: XXXXXXXXXXXXX Logon ID: > > XXXXXXXXXXXXXX Target Account: Security ID: > > XXXXXXXXXXXXXXXXXX Account Name: LNKI766$ > > Account Domain: XXXXXXXXXXXXXX > > > > > > > > > > This ultimate log show "Account Name" field. with spaces and tabs. and > the > > first log not!. > > What can i do to match both them? > > > > You could try "Account Name:\s+(\S+) " Not sure how well that will > work, and it can make the regex totally unreadable. > > You should also call Microsoft and tell them to fix their logs. :P > > > > > Regards, > > > > > > El miércoles, 2 de octubre de 2013 10:02:47 UTC-3, dan (ddpbsd) > escribió: > >> > >> <decoder name="win2k3beta-1"> > >> <parent>windows</parent> > >> <prematch>Security: </prematch> > >> <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+: > >> (\S+): </rege > >> x> > >> <order>status, id, extra_data, system_name</order> > >> </decoder> > >> > >> <decoder name="win2k3beta-1"> > >> <parent>windows</parent> > >> <regex>Caller User Name: (\S+) </regex> > >> <order>user</order> > >> </decoder> > >> > >> > >> > >> On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré <[email protected]> > wrote: > >> > Hi guys, > >> > > >> > Here is my Custom decoder. > >> > > >> > > >> > > ***************************************************************************** > > >> > > >> > <decoder name=”win2003beta-1”> > >> > > >> > <parent>windows</parent> > >> > > >> > <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch> > >> > > >> > <regex>Security: </regex> > >> > > >> > <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex> > >> > > >> > <regex>Caller User Name:\s+(\w+)</regex> > >> > > >> > <order>status, id, system_name, extra_data, user</order> > >> > > >> > > >> > > ********************************************************************************** > > > >> > > >> > I need to catch the username in "Caller User Name" field > >> > > >> > > >> > When i put this in logtest, the decoder doesn't match nothing!. > >> > > >> > > >> > Is the decoder correctly? > >> > > >> > This is the log: > >> > > >> > WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: > >> > XXXXXXXXX: > >> > User Account Changed: Target Account Name: XXXXX > >> > Target > >> > Domain: XXXXXXXXXX Target Account ID: > >> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User > Name: > >> > USER > >> > Caller Domain: XXXXXXXXXXX Caller Logon ID: > XXXXXXXXXXXXXXXX > >> > Privileges: - Changed Attributes: Sam Account > Name: - > >> > Display Name: - User Principal Name: - Home > >> > Directory: - Home Drive: - Script Path: - > >> > Profile Path: - User Workstations: - > Password > >> > Last Set: 10/1/2013 4:01:12 PM Account Expires: - > >> > Primary Group ID: - AllowedToDelegateTo: - > >> > Old > >> > UAC Value: - New UAC Value: - User > Account > >> > Control: - User Parameters: - Sid History: - > >> > Logon Hours: - > >> > > >> > > >> > Please help, and apologies for my bad english. > >> > > >> > > >> > Regards > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
