Very soon I should start getting logs from Server 2008R2 domain controller, and will also have Windows 7 x64 clients reporting...
We have 500+ user accounts, with probably 300 active users. I see this is a little newer than you were looking for, but would my collecting these logs help? -- James Pulver CLASSE Computer Group Cornell University -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Starks Sent: Thursday, October 24, 2013 11:48 AM To: [email protected] Subject: [ossec-list] I Need Your Windows Logs The Windows decoder has been problematic for many people. I think it's time to fix it. But in order to do so, we need some logs. If you would like to help the project, here is what I need. Raw logs from the security event log in archives.log on the manager (the more, the better, hopefully from an active production domain of at least 100 users)... - Windows 2003 domain controller - Windows 2008 domain controller - Windows 2003 domain member - Windows 2003 standalone - Windows 2008 domain member - Windows 2008 standalone - Windows XP domain member - Windows XP standalone - Windows Vista domain member - Windows Vista stand-alone Preferably, you can grep out the relevant logs from archives.log (use the hostname) and redirect them to another file, then let me know what kind of logs they are. From this we will improve the decoder and create unit test cases from the specific event IDs that OSSEC has rules for. About your privacy: I will keep the logs confidential; however, we will need to keep samples of some logs for the unit tests. I will anonymize these samples and then ask for your agreement that they are sufficiently anonymized, so that they can be included in the project. If you would like to help, please tar and gzip the samples and send them to me OFF LIST. Please do NOT copy them to a Windows system before compressing them. I need the original control characters to be intact, so just use the tar in Linux. Thanks for your help! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
