On Fri, Mar 27, 2015 at 6:56 AM, Oslik Dixon <[email protected]> wrote: > Greetings! > > Just set up a VM with Ossec from the Virtual Appliance template and > encountered a problem with monitoring Windows event logs. > > I set up a security audit for shares under Windows 2008 Server and when > Ossec gets the log message i get the following output in Kibana - > > 2015 Mar 27 12:50:42 WinEvtLog: Security: AUDIT_FAILURE(5145): > Microsoft-Windows-Security-Auditing: (no user): no domain: > Hyper-V.domain.com: S-1-5-21-2832557239-2908104349-351431359-2274 e.zadora > IAS 0x1c83c3ea0 File 192.168.8.6 56002 \\\\*\\HotSMS > \\??\\C:\\Folders\\HotSMS \xC1\xE5\xEB\xFF\xEA\xEE\xE2 > \xC5\xE2\xE3\xE5\xED\xE8\xE9\\+ Mars April\\9AA1D4E6.tmp 0xc0080 %%1539\r > > > It seems that logs are passed correctly but not correctly displayed when a > path to file contains symbols in cyrtillic. When i try to parse ossec > current log file with iconv and change encoding from utf-8 to cp1251 - the > correct path in cyrillic is displayed. > > So my key question is - how to make the path displayed correct in cyrtillic > within Kibana web page. >
Does ossec output the logs the way you expect in alerts.log? I don't think it supports other character sets like this, but I haven't had a need to test it either. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
