At the first glance, one thing you need is adding a new fieldname to
<order>to capture the regex item matched by "...Object Name: (\.*)".
<order>status, id, user, system_name</order>
On Thursday, February 13, 2014 4:38:14 AM UTC-8, Chris H wrote:
>
> Hi. I'm having real problems with a regex for a decoder, and hope someone
> can help. I'm trying to extract some details from Windows Event Logs from
> a file server, for Object Access. Here's a sample of the logs:
>
> WinEvtLog: Security: AUDIT_SUCCESS(560): Security: user.name: MYDOMAIN:
> WIN-FS2: Object Open: Object Server: Security Object Type:
> File Object Name: D:\Shares\Recruitment\Head Office\Ops Vacancies
> Tracker.xlsx Handle ID: 27948 Operation ID:
> {3,166460974} Process ID: 4 Image File Name: Primary
> User Name: WIN-FS2$ Primary Domain: 4UCORE Primary Logon ID:
> (0x0,0x3E7) Client User Name: user.name Client Domain:
> MYDOMAIN Client Logon ID: (0x3,0x9D2FBB5) Accesses:
> %%1539 %%4423 Privileges:
> - Restricted Sid Count: 0 Access Mask: 0x40080
>
> The fields I'm interested in, and that I want to use with FTS to trigger
> an alert, are the user.name and Object Name. I'm good with extracting
> the former with the following decoders:
>
> <decoder name="windows">
> <type>windows</type>
> <prematch>^WinEvtLog: </prematch>
> </decoder>
> <decoder name="windows-file-access">
> <type>windows</type>
> <parent>windows</parent>
> <prematch offset="after_parent">^\.+: (\w+)\((560)\):</prematch>
> <regex offset="after_parent">^\.+: (\w+)\((560)\): \S+: (\S+):
> \S+: (\S+):</regex>
> <order>status, id, user, system_name</order>
> </decoder>
>
> But I can't extract the Object Name. I've tried various permutations of
> along the lines of:
> <decoder name="windows-file-access">
> <type>windows</type>
> <parent>windows</parent>
> <prematch offset="after_parent">^\.+: (\w+)\((560)\):</prematch>
> <regex offset="after_parent">^\.+: (\w+)\((560)\): \S+: (\S+):
> \S+: (\S+):</regex>
> <regex>\.*Object Type: File\s+Object Name: (\.*) +Handle</regex>
> <order>status, id, user, system_name</order>
> </decoder>
>
> I also have to deal with files with spaces in the name. With a fuller
> regex library I'd do something like this, which works nicely because of the
> non-greedy matching:
> ^.+: (\w+)\((560)\): \w+: (\S+): \S+: (\S+): .*Object Type: File\s+Object
> Name: (.+?)\s+Handle
>
> But I can't even get OSSEC to match on something as simple as:
> <regex>\.*Name: (\S+)</regex>
>
> Any help would be gratefully received.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
