The Windows decoder has been problematic for many people. I think it's
time to fix it. But in order to do so, we need some logs. If you would
like to help the project, here is what I need.
Raw logs from the security event log in archives.log on the manager
(the more, the better, hopefully from an active production domain of at
least 100 users)...
- Windows 2003 domain controller
- Windows 2008 domain controller
- Windows 2003 domain member
- Windows 2003 standalone
- Windows 2008 domain member
- Windows 2008 standalone
- Windows XP domain member
- Windows XP standalone
- Windows Vista domain member
- Windows Vista stand-alone
Preferably, you can grep out the relevant logs from archives.log (use
the hostname) and redirect them to another file, then let me know what
kind of logs they are.
From this we will improve the decoder and create unit test cases from
the specific event IDs that OSSEC has rules for.
About your privacy: I will keep the logs confidential; however, we will
need to keep samples of some logs for the unit tests. I will anonymize
these samples and then ask for your agreement that they are sufficiently
anonymized, so that they can be included in the project.
If you would like to help, please tar and gzip the samples and send
them to me OFF LIST. Please do NOT copy them to a Windows system before
compressing them. I need the original control characters to be intact,
so just use the tar in Linux.
Thanks for your help!
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
