On Mon, Sep 1, 2014 at 12:30 AM, Brian Kellogg <[email protected]> wrote: > I cannot parse the IP address out of the below log entry with the provided > decoder. I can easily parse everything up to "Successful Logon:". It seems > if I avoid using "\.+" to match up to "Source Network Address:" that I can > get this to work, but that is onerous and should be unnecessary, shouldn't > it? > > I have tried dozens of variations of the regex to grab the IP with no > success. I do the same thing on event 4624s without a problem. > > Log entry: > 2014 Aug 31 11:08:16 WinEvtLog: Security: AUDIT_SUCCESS(528): Security: > jsmith: TESTDOM: SERVER123: Successful Logon: User Name: jsmith > Domain: TESTDOM Logon ID: (0x0,0x3404B657) > Logon Type: 10 Logon Process: User32 Authentication > Package: Negotiate Workstation Name: SERVER123 Logon GUID: > {711675f9-4b61-6191-deb1-1b88b33239b3} Caller User Name: SERVER123$ > Caller Domain: TESTDOM Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 1200 Transited Services: - Source > Network Address: 192.168.1.56 Source Port: 21507 > > Decoders: > <decoder name="windows"> > <type>windows</type> > <prematch>^WinEvtLog: |WinEvtLog: </prematch> > </decoder> > > <decoder name="windows_2003_rdp"> > <type>windows</type> > <parent>windows</parent> > <prematch offset="after_parent">528\):\.+Logon Type:\s+10</prematch> > <regex>AUDIT_SUCCESS\((\S+)\):\.+:\s+(\S+):\s+(\S+):\s+(\S+):</regex> > <regex>Source Network Address:\s+(\S+)</regex> > <order>id, srcuser, extra_data, dstuser, srcip</order> > </decoder> >
This seems to work with the example provided: <decoder name="windows_2003_rdp"> <type>windows</type> <parent>windows</parent> <prematch offset="after_parent">528\)\.+Logon Type:\s+10</prematch> <regex>AUDIT_SUCCESS\((\S+)\):\.+:\s+(\S+):\s+(\S+):\s+(\S+):</regex> <!--About as onerous as it gets --> <order>id,srcuser,extra_data,dstuser</order> </decoder> <decoder name="windows_2003_rdp"> <type>windows</type> <parent>windows</parent> <regex>Source Network Address:\s+(\S+)</regex> <order>srcip</order> </decoder> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
