Hi Gurus,
I really need some guide in this one.
I'am trying to write a decoder to Trend Micro application, a simple one to
get start it.
My exempla log:
WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off
One logoff exempla ( just to show you my problem ):
WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud
iting: (no user): no domain: machine.domain: An account was logged off.
Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970
Account Name: souangel Account Domain: XXX Logon ID: 0x4124add0 Logon Type:
3 This event is generated when a logon session is destroyed. It may be
positively correlated with a logon event using the Logon ID value. Logon
IDs are only unique between reboots on the same computer.
OSSIMmachine:/var/log# /var/ossec/bin/ossec-logtest
WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud
iting: (no user): no domain: machine.domain: An account was logged off.
Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970
Account Name: souangel Account Domain: SIQ Logon ID: 0x4124add0 Logon Type:
3 This event is generated when a logon session is destroyed. It may be
positively correlated with a logon event using the Logon ID value. Logon
IDs are only unique between reboots on the same computer.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain:
An account was logged off. Subject: Security ID:
S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel
Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is
generated when a logon session is destroyed. It may be positively
correlated with a logon event using the Logon ID value. Logon IDs are only
unique between reboots on the same computer.'
hostname: 'porsl043'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain:
An account was logged off. Subject: Security ID:
S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel
Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is
generated when a logon session is destroyed. It may be positively
correlated with a logon event using the Logon ID value. Logon IDs are only
unique between reboots on the same computer.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4634'
extra_data: 'Microsoft-Windows-Security-Aud iting'
srcuser: '(no user)'
system_name: 'machine.domain'
**Phase 3: Completed filtering (rules).
Rule id: '18149'
Level: '3'
Description: 'Windows User Logoff.'
**Alert to be generated.
OSSIMmachine:/var/log# /var/ossec/bin/ossec-logtest
WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: INFORMATION(10): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User
"Domain\username" logged off'
hostname: 'porsl043'
program_name: '(null)'
log: 'WinEvtLog: Application: INFORMATION(10): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User
"Domain\username" logged off'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '10'
extra_data: 'Trend Micro OfficeScan Server'
srcuser: 'SYSTEM'
system_name: 'PORSVA018.SIQ.AD'
**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'
Note: windows decoder in decoder.xml:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, srcuser, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
As you can see my Trend Micro log "hit" the decoder named as "windows", so
I think I need to use that as my "parent decoder" in my new decoder.
So in local_decoder.xml I wrote this simple decoder:
<decoder name="trendmicro">
<type>windows</type>
<parent>windows</parent>
<use_own_name>true</use_own_name>
<regex offset="after_parent">User (\S+)\s+ \.+</regex>
<order>srcuser, id, extra_data, system_name</order>
<fts>name, location, system_name</fts>
</decoder>
I do the service ossec restart, and the decoder works fine for my log:
/var/ossec/bin/ossec-logtest
2014/05/12 09:47:23 ossec-testrule: INFO: Reading local decoder file.
2014/05/12 09:47:23 ossec-testrule: INFO: Started (pid: 11499).
ossec-testrule: Type one log per line.
WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server:
SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: INFORMATION(10): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User
"Domain\username" logged off'
hostname: 'porsl043'
program_name: '(null)'
log: 'WinEvtLog: Application: INFORMATION(10): Trend Micro
OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User
"Domain\username" logged off'
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '100006'
Level: '6'
Description: 'Trend Micro OfficeScan:User logged in/off'
**Alert to be generated.
But I have a big problem all my rules that use "windows" decoder by default
exempla ( login and logoff ) they stop working:
/var/ossec/bin/ossec-logtest
2014/05/12 09:48:28 ossec-testrule: INFO: Reading local decoder file.
2014/05/12 09:48:28 ossec-testrule: INFO: Started (pid: 12944).
ossec-testrule: Type one log per line.
WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud
iting: (no user): no domain: machine.domain: An account was logged off.
Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970
Account Name: souangel Account Domain: SIQ Logon ID: 0x4124add0 Logon Type:
3 This event is generated when a logon session is destroyed. It may be
positively correlated with a logon event using the Logon ID value. Logon
IDs are only unique between reboots on the same computer.
**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain:
An account was logged off. Subject: Security ID:
S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel
Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is
generated when a logon session is destroyed. It may be positively
correlated with a logon event using the Logon ID value. Logon IDs are only
unique between reboots on the same computer. '
hostname: 'porsl043'
program_name: '(null)'
log: 'WinEvtLog: Security: AUDIT_SUCCESS(4634):
Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain:
An account was logged off. Subject: Security ID:
S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel
Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is
generated when a logon session is destroyed. It may be positively
correlated with a logon event using the Logon ID value. Logon IDs are only
unique between reboots on the same computer. '
**Phase 2: Completed decoding.
decoder: 'windows'
**Phase 3: Completed filtering (rules).
Rule id: '18100'
Level: '0'
Description: 'Group of windows rules.'
I have no idea why this is happen, can anyone point the right direction.
Really appreciate this is a blocking point for me .
Thanks in advanced.
Regards
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
