On Tue, Aug 19, 2014 at 1:14 PM, Brian Kellogg <[email protected]> wrote: > Below is the log: > > 2014 Aug 19 12:21:17 (server) 10.24.140.24->WinEvtLog 2014 Aug 19 08:21:16 > WinEvtLog: > Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: > Information(1149): no source: NETWORK SERVICE: NT AUTHORITY: server.org.com: > Remote Desktop Services: User authentication succeeded:^M > ^M > User: testuser^M > Domain: testdomain^M > Source Network Address: 1.2.3.4 >
Oh I forgot how horrible Windows logs were. I'm guessing this doesn't really work in ossec-logtest, so not sure what all I can do. If this multiple line nonsense is normal though, maybe OSSEC handles it natively? Assuming OSSEC handles it all gracefully, try this: <decoder name="RDP"> <parent>windows</parent> <prematch>Remote Desktop Services: User authentication succeeded:</prematch> <regex>User: (\S+)</regex> <order>srcuser</order> </decoder> <decoder name="RDP"> <parent>windows</parent> <regex>Domain: (\S+)</regex> <order>extra_data</order> </decoder> <decoder name="RDP"> <parent>windows</parent> <regex>Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
