I cannot parse the IP address out of the below log entry with the provided
decoder. I can easily parse everything up to "Successful Logon:". It
seems if I avoid using "\.+" to match up to "Source Network Address:" that
I can get this to work, but that is onerous and should be unnecessary,
shouldn't it?
I have tried dozens of variations of the regex to grab the IP with no
success. I do the same thing on event 4624s without a problem.
*Log entry:*
2014 Aug 31 11:08:16 WinEvtLog: Security: AUDIT_SUCCESS(528): Security:
jsmith: TESTDOM: SERVER123: Successful Logon: User Name: jsmith
Domain: TESTDOM Logon ID:
(0x0,0x3404B657) Logon Type: 10 Logon Process: User32
Authentication Package: Negotiate Workstation Name: SERVER123
Logon GUID: {711675f9-4b61-6191-deb1-1b88b33239b3} Caller User Name:
SERVER123$ Caller Domain: TESTDOM Caller Logon ID:
(0x0,0x3E7) Caller Process ID: 1200 Transited Services:
- Source Network Address: 192.168.1.56 Source Port: 21507
*Decoders:*
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: |WinEvtLog: </prematch>
</decoder>
<decoder name="windows_2003_rdp">
<type>windows</type>
<parent>windows</parent>
<prematch offset="after_parent">528\):\.+Logon Type:\s+10</prematch>
<regex>AUDIT_SUCCESS\((\S+)\):\.+:\s+(\S+):\s+(\S+):\s+(\S+):</regex>
<regex>Source Network Address:\s+(\S+)</regex>
<order>id, srcuser, extra_data, dstuser, srcip</order>
</decoder>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
