On Thu, Aug 28, 2014 at 11:07 AM, Brian Kellogg <[email protected]> wrote:
> I have the below in my "./etc/local_decoder.xml" file in an attempt to
> create custom decoders for specific Windows events such as RDP logons. The
> log sample isn't being decoded by the "windows_rdp" decoder and I'm not sure
How do you know? It doesn't fill any fields (<order>), so there's
really no indication if it works or not. Any alerts will show it as
being in the Windows decoder, since that's the parent.
> why. I have tried dozens of variations on the below with no success. Not
> sure what I'm missing and I'm guessing its something simple I'm just
> missing. If I remove the "windows_rdp" decoder things go back to normal in
> decoding windows logs. With the decoder in place the rule 18100 is what
> gets applied with the description of "Group of windows rules." and not my
> rule of 100010. This is on OSSEC 2.8.
>
> Decoders in ./etc/local_decoder.xml:
> <decoder name="windows">
> <type>windows</type>
> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
> </prematch>
> </decoder>
>
> <decoder name="windows_rdp">
> <type>windows</type>
> <parent>windows</parent>
> <regex offset="after_parent">4624</regex>
> </decoder>
>
> <decoder name="windows_default">
> <type>windows</type>
> <parent>windows</parent>
> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
> <regex>(\.+): \.+: (\S+): </regex>
> <order>status, id, extra_data, user, system_name</order>
> <fts>name, location, user, system_name</fts>
> </decoder>
>
> Rule in ./rules/local_rules.xml:
> <group name="windows,">
> <rule id="100010" level="12">
> <decoded_as>windows_rdp</decoded_as>
> <group>rdp</group>
> <description>RDP Windows Logon</description>
> </rule>
> </group>
>
> Below is a log sample:
> 2014 Aug 28 09:54:56 WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: tsmith: CONTOSO: server55.contoso.com:
> An account was successfully logged on. Subject: Security ID: S-1-5-18
> Account Name: server55$ Account Domain: CONTOSO Logon ID: 0x3e7 Logon
> Type: 10 New Logon: Security ID:
> S-1-5-21-1434109735-357464061-2299825339-86050 Account Name: tsmith
> Account Domain: CONTOSO Logon ID: 0x128a6efd Logon GUID:
> {0254B574-A9A0-7895-94B0-AD2127BDE342} Process Information: Process ID:
> 0x1280 Process Name: C:\Windows\System32\winlogon.exe Network
> Information: Workstation Name: server55 Source Network Address:
> 192.168.11.4 Source Port: 9512 Detailed Authentication Information:
> Logon Process: User32 Authentication Package: Negotiate Transited
> Services: - Package Name (NTLM only): - Key Length: 0 This event is
> generated when a logon session is created. It is generated on the computer
> that was accessed.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
