8 On Wed, Oct 2, 2013 at 12:18 PM, Leonel Algaré <[email protected]> wrote: > Sure Dan... > > Thanks, > > And the other problem? > > > they do not work when both are in local_decoder.xml at the same time. > > why not? can u help me with that? >
The first windows-03 and windows-08 appear to have the same exact regex. > > El miércoles, 2 de octubre de 2013 12:53:46 UTC-3, dan (ddpbsd) escribió: >> >> On Wed, Oct 2, 2013 at 11:51 AM, Leonel Algaré <[email protected]> >> wrote: >> > Hi dan >> > >> > Thank you !! >> > >> > Now it works. >> > >> > But i have another problem. >> > >> > I wrote 2 decoders. One for 2003/2k and other for 2008. >> > >> > they do not work when both are in local_decoder.xml at the same time. >> > >> > Here are my decoders: >> > >> > <decoder name="windows-03"> >> > >> > <type>windows</type> >> > <parent>windows</parent> >> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): >> > </regex> >> > <regex>\.+: \.+: (\S+): </regex> >> > >> > <order>status, id, extra_data, system_name</order> >> > <fts>name, location, system_name</fts> >> > </decoder> >> > >> > <decoder name="windows-03"> >> > >> > <type>windows</type> >> > <parent>windows</parent> >> > <regex offset="after_regex">Caller User Name: (\S+)</regex> >> > <order>user</order> >> > </decoder> >> > >> > >> > <decoder name="windows-08"> >> > >> > <type>windows</type> >> > <parent>windows</parent> >> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): >> > </regex> >> > <regex>\.+: \.+: (\S+): </regex> >> > >> > <order>status, id, extra_data, system_name</order> >> > <fts>name, location, system_name</fts> >> > </decoder> >> > >> > >> > <decoder name="windows-08"> >> > >> > <type>windows</type> >> > <parent>windows</parent> >> > <regex>Account Name:\s\t\t\s(\S+)</regex> >> > <order>user</order> >> > </decoder> >> > >> > >> > And other problem was sometimes logs arrives in different format, >> > EXAMPLE: >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(4733): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: XXXXXX: A >> > member >> > was removed from a security-enabled local group. Subject: Security ID: >> > XXXXXXXXXXXXXXXXX Account Name: USER Account Domain: XXXXXX Logon >> > ID: >> > XXXXXX Member: Security ID: XXXXXXXXXX Account Name: - Group: >> > Security ID: XXXXXXXXXXXX Group Name: Administrators Group Domain: >> > Builtin Additional Information: Privileges: - >> > >> > >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(4725): >> > Microsoft-Windows-Security-Auditing: (no user): no domain: >> > xxxxxxxxxxxxxxxxxx: A user account was disabled. Subject: >> > Security ID: XXXXXXXXXXXXXXXXXXXXXXXX Account >> > Name: >> > USER Account Domain: XXXXXXXXXXXXX Logon ID: >> > XXXXXXXXXXXXXX Target Account: Security ID: >> > XXXXXXXXXXXXXXXXXX Account Name: LNKI766$ >> > Account Domain: XXXXXXXXXXXXXX >> > >> > >> > >> > >> > This ultimate log show "Account Name" field. with spaces and tabs. and >> > the >> > first log not!. >> > What can i do to match both them? >> > >> >> You could try "Account Name:\s+(\S+) " Not sure how well that will >> work, and it can make the regex totally unreadable. >> >> You should also call Microsoft and tell them to fix their logs. :P >> >> > >> > Regards, >> > >> > >> > El miércoles, 2 de octubre de 2013 10:02:47 UTC-3, dan (ddpbsd) >> > escribió: >> >> >> >> <decoder name="win2k3beta-1"> >> >> <parent>windows</parent> >> >> <prematch>Security: </prematch> >> >> <regex offset="after_prematch">^(\S+)\p(\d+)\p: (\S+): \S+: \S+: >> >> (\S+): </rege >> >> x> >> >> <order>status, id, extra_data, system_name</order> >> >> </decoder> >> >> >> >> <decoder name="win2k3beta-1"> >> >> <parent>windows</parent> >> >> <regex>Caller User Name: (\S+) </regex> >> >> <order>user</order> >> >> </decoder> >> >> >> >> >> >> >> >> On Tue, Oct 1, 2013 at 8:36 PM, Leonel Algaré <[email protected]> >> >> wrote: >> >> > Hi guys, >> >> > >> >> > Here is my Custom decoder. >> >> > >> >> > >> >> > >> >> > ***************************************************************************** >> >> > >> >> > <decoder name=”win2003beta-1”> >> >> > >> >> > <parent>windows</parent> >> >> > >> >> > <prematch offset=”after_parent”>Security: (\w+)\((\d+)\): </prematch> >> >> > >> >> > <regex>Security: </regex> >> >> > >> >> > <regex>\.+:\s+\.+:\s+(\S+):\s+(\.+):\.+ </regex> >> >> > >> >> > <regex>Caller User Name:\s+(\w+)</regex> >> >> > >> >> > <order>status, id, system_name, extra_data, user</order> >> >> > >> >> > >> >> > >> >> > ********************************************************************************** >> >> > >> >> > I need to catch the username in "Caller User Name" field >> >> > >> >> > >> >> > When i put this in logtest, the decoder doesn't match nothing!. >> >> > >> >> > >> >> > Is the decoder correctly? >> >> > >> >> > This is the log: >> >> > >> >> > WinEvtLog: Security: AUDIT_SUCCESS(642): Security: XXXXX: XXXXX: >> >> > XXXXXXXXX: >> >> > User Account Changed: Target Account Name: XXXXX >> >> > Target >> >> > Domain: XXXXXXXXXX Target Account ID: >> >> > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Caller User >> >> > Name: >> >> > USER >> >> > Caller Domain: XXXXXXXXXXX Caller Logon ID: >> >> > XXXXXXXXXXXXXXXX >> >> > Privileges: - Changed Attributes: Sam Account >> >> > Name: - >> >> > Display Name: - User Principal Name: - Home >> >> > Directory: - Home Drive: - Script Path: - >> >> > Profile Path: - User Workstations: - >> >> > Password >> >> > Last Set: 10/1/2013 4:01:12 PM Account Expires: - >> >> > Primary Group ID: - AllowedToDelegateTo: - >> >> > Old >> >> > UAC Value: - New UAC Value: - User >> >> > Account >> >> > Control: - User Parameters: - Sid History: - >> >> > Logon Hours: - >> >> > >> >> > >> >> > Please help, and apologies for my bad english. >> >> > >> >> > >> >> > Regards >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
