I have the below in my "./etc/local_decoder.xml" file in an attempt to
create custom decoders for specific Windows events such as RDP logons. The
log sample isn't being decoded by the "windows_rdp" decoder and I'm not
sure why. I have tried dozens of variations on the below with no success.
Not sure what I'm missing and I'm guessing its something simple I'm just
missing. If I remove the "windows_rdp" decoder things go back to normal in
decoding windows logs. With the decoder in place the rule 18100 is what
gets applied with the description of "Group of windows rules." and not my
rule of 100010. This is on OSSEC 2.8.
*Decoders in ./etc/local_decoder.xml:*
<decoder name="windows">
<type>windows</type>
<prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
</prematch>
</decoder>
<decoder name="windows_rdp">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">4624</regex>
</decoder>
<decoder name="windows_default">
<type>windows</type>
<parent>windows</parent>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
*Rule in ./rules/local_rules.xml:*
<group name="windows,">
<rule id="100010" level="12">
<decoded_as>windows_rdp</decoded_as>
<group>rdp</group>
<description>RDP Windows Logon</description>
</rule>
</group>
*Below is a log sample:*
2014 Aug 28 09:54:56 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: tsmith: CONTOSO: server55.contoso.com
<http://server55.na.d-rco.com/>: An account was successfully logged on.
Subject: Security ID: S-1-5-18 Account Name: server55$ Account Domain:
CONTOSO Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID:
S-1-5-21-1434109735-357464061-2299825339-86050 Account Name: tsmith
Account Domain: CONTOSO Logon ID: 0x128a6efd Logon GUID:
{0254B574-A9A0-7895-94B0-AD2127BDE342} Process Information: Process ID:
0x1280 Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: server55 Source Network Address:
192.168.11.4 Source Port: 9512 Detailed Authentication Information:
Logon Process: User32 Authentication Package: Negotiate Transited
Services: - Package Name (NTLM only): - Key Length: 0 This event is
generated when a logon session is created. It is generated on the computer
that was accessed.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
