On Mon, May 12, 2014 at 4:50 AM, AMMS <[email protected]> wrote: > Hi Gurus, > > I really need some guide in this one. > > I'am trying to write a decoder to Trend Micro application, a simple one to > get start it. > > My exempla log: > > WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server: > SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off > > One logoff exempla ( just to show you my problem ): > > WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud > iting: (no user): no domain: machine.domain: An account was logged off. > Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970 > Account Name: souangel Account Domain: XXX Logon ID: 0x4124add0 Logon Type: > 3 This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer. > > > OSSIMmachine:/var/log# /var/ossec/bin/ossec-logtest > > WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud > iting: (no user): no domain: machine.domain: An account was logged off. > Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970 > Account Name: souangel Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: > 3 This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer. > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4634): > Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain: > An account was logged off. Subject: Security ID: > S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel > Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is > generated when a logon session is destroyed. It may be positively correlated > with a logon event using the Logon ID value. Logon IDs are only unique > between reboots on the same computer.' > hostname: 'porsl043' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4634): > Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain: > An account was logged off. Subject: Security ID: > S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel > Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is > generated when a logon session is destroyed. It may be positively correlated > with a logon event using the Logon ID value. Logon IDs are only unique > between reboots on the same computer.' > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'AUDIT_SUCCESS' > id: '4634' > extra_data: 'Microsoft-Windows-Security-Aud iting' > srcuser: '(no user)' > system_name: 'machine.domain' > **Phase 3: Completed filtering (rules). > Rule id: '18149' > Level: '3' > Description: 'Windows User Logoff.' > **Alert to be generated. > > OSSIMmachine:/var/log# /var/ossec/bin/ossec-logtest > > WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server: > SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Application: INFORMATION(10): Trend Micro > OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User > "Domain\username" logged off' > hostname: 'porsl043' > program_name: '(null)' > log: 'WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan > Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" > logged off' > **Phase 2: Completed decoding. > decoder: 'windows' > status: 'INFORMATION' > id: '10' > extra_data: 'Trend Micro OfficeScan Server' > srcuser: 'SYSTEM' > system_name: 'PORSVA018.SIQ.AD' > **Phase 3: Completed filtering (rules). > Rule id: '18101' > Level: '0' > Description: 'Windows informational event.' > > Note: windows decoder in decoder.xml: > > <decoder name="windows"> > <type>windows</type> > <prematch>^WinEvtLog: </prematch> > <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): </regex> > <order>status, id, extra_data, srcuser, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > > > As you can see my Trend Micro log "hit" the decoder named as "windows", so I > think I need to use that as my "parent decoder" in my new decoder. > > So in local_decoder.xml I wrote this simple decoder: >
I'd consider this too complicated to be called a simple decoder. It's also a bit complicated for a first draft. > > <decoder name="trendmicro"> > <type>windows</type> > <parent>windows</parent> > <use_own_name>true</use_own_name> > <regex offset="after_parent">User (\S+)\s+ \.+</regex> > <order>srcuser, id, extra_data, system_name</order> You have all of these fields, but don't define them in the regex line, you only have 1 (the \S+ in parenthesis). > <fts>name, location, system_name</fts> > </decoder> > I have to hand type all of this, so there may be some typos. Without any decoder changes I get (ignoring phase 1): Phase 2: Completed decoding decoder: 'windows' status: 'INFORMATION' id: '10' extra_data: 'Trend Micro OfficeScan Server' dstuser: 'SYSTEM' system_name: 'POSVA018.SIQ.AD' I feel like I've brought up the issue of losing fields with the windows decoder before, but I can't remember for sure. With this simple decoder: <decoder name="tm-test"> <parent>windows</parent> <prematch>Trend Micro OfficeScan Server</prematch> <regex>: User "(\S+)" (\.+)$</regex> <order>user, action</order> </decoder> I get: Phase 2: Completed decoding. decoder: 'windows' dstuser: 'Domain\username' action: 'logged off' It's not perfect, but it might be a better starting place. > > I do the service ossec restart, and the decoder works fine for my log: > > /var/ossec/bin/ossec-logtest > 2014/05/12 09:47:23 ossec-testrule: INFO: Reading local decoder file. > 2014/05/12 09:47:23 ossec-testrule: INFO: Started (pid: 11499). > ossec-testrule: Type one log per line. > WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan Server: > SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" logged off > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Application: INFORMATION(10): Trend Micro > OfficeScan Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User > "Domain\username" logged off' > hostname: 'porsl043' > program_name: '(null)' > log: 'WinEvtLog: Application: INFORMATION(10): Trend Micro OfficeScan > Server: SYSTEM: NT AUTHORITY: PORSVA018.SIQ.AD: User "Domain\username" > logged off' > **Phase 2: Completed decoding. > decoder: 'windows' > **Phase 3: Completed filtering (rules). > Rule id: '100006' > Level: '6' > Description: 'Trend Micro OfficeScan:User logged in/off' > **Alert to be generated. > > But I have a big problem all my rules that use "windows" decoder by default > exempla ( login and logoff ) they stop working: > > /var/ossec/bin/ossec-logtest > 2014/05/12 09:48:28 ossec-testrule: INFO: Reading local decoder file. > 2014/05/12 09:48:28 ossec-testrule: INFO: Started (pid: 12944). > ossec-testrule: Type one log per line. > WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Aud > iting: (no user): no domain: machine.domain: An account was logged off. > Subject: Security ID: S-1-5-21-4207196602-456986474 -1257036219-19970 > Account Name: souangel Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: > 3 This event is generated when a logon session is destroyed. It may be > positively correlated with a logon event using the Logon ID value. Logon IDs > are only unique between reboots on the same computer. > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4634): > Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain: > An account was logged off. Subject: Security ID: > S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel > Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is > generated when a logon session is destroyed. It may be positively correlated > with a logon event using the Logon ID value. Logon IDs are only unique > between reboots on the same computer. ' > hostname: 'porsl043' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4634): > Microsoft-Windows-Security-Aud iting: (no user): no domain: machine.domain: > An account was logged off. Subject: Security ID: > S-1-5-21-4207196602-456986474 -1257036219-19970 Account Name: souangel > Account Domain: SIQ Logon ID: 0x4124add0 Logon Type: 3 This event is > generated when a logon session is destroyed. It may be positively correlated > with a logon event using the Logon ID value. Logon IDs are only unique > between reboots on the same computer. ' > **Phase 2: Completed decoding. > decoder: 'windows' > **Phase 3: Completed filtering (rules). > Rule id: '18100' > Level: '0' > Description: 'Group of windows rules.' > > I have no idea why this is happen, can anyone point the right direction. > Really appreciate this is a blocking point for me . > > Thanks in advanced. > > Regards > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
