On Fri, Feb 27, 2015 at 6:41 AM, CraigL <[email protected]> wrote: > Hi All, > > Given this log line: > > 2015 Feb 27 11:08:38 WinEvtLog: Application: AUDIT_FAILURE(18456): > MSSQLSERVER: (no user): no domain: id13551: Login failed for user 'IIS'. > Reason: Could not find a login matching the name provided. [CLIENT: > 222.101.131.150] > > It matches Rule ID 18180, the issue I am working out is the source IP is not > extracted from the logfile into srcip for our ELK dashboard, will this > require a custom decoder in OSSEC or am I better to grab it in logstash? >
If you want OSSEC to decode the IP, you need to mess with the decoders. > Thanks, > > Craig > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
