Hello,
I was wondering if there is a guide on how to write decoders for Windows
Server 2008 and 2012 Security logs. I am more interested in the standard
raw Windows log. With UNIX it is very straight forward because of the
standard syslog output, but Windows without knowing how the raw log entry
looks like, it seems to be impossible to write the regular expressions
needed to parse a message. For example on Linux, an auditd log entry has a
known format:
> /var/log/audit/audit.log:type=USER_START msg=audit(1457067617.649:348):
> pid=2326 uid=0 auid=1000 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
> msg='op=PAM:session_open
> grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring
>
> acct="master" exe="/usr/libexec/gdm-session-worker" hostname=? addr=?
> terminal=/dev/tty2 res=success
>
while Windows has a different log format. Looking at a Windows Security
event log in CSV, TXT, XML or event snare the format looks different from
each other.
Example of the CSV and TXT format of Windows log
> 3/3/2016 5:12:44 PM,Microsoft-Windows-Security-Auditing,5158,Filtering
> Platform Connection,"The Windows Filtering Platform has permitted a bind to
> a local port.
>
> Application Information:
> Process ID: 2560
> Application Name: \device\harddiskvolume2\program files
> (x86)\ossec-agent\ossec-agent.exe
>
> Network Information:
> Source Address: 0.0.0.0
> Source Port: 54639
> Protocol: 17
>
> Filter Information:
> Filter Run-Time ID: 0
> Layer Name: Resource Assignment
> Layer Run-Time ID: 36"
>
Snare sends Windows logs to rsyslog in the following format
> Mar 05 23:26:31 WIN2012 5905 4656 (File System) Security
> Microsoft-Windows-Security-Auditing WIN2012\Administrator N/A
> Success Audit A handle to an object was requested. Subject: Security ID:
> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
> Account Domain: WIN2012 Logon ID: 0x25CD8 Object: Object Server: Security
> Object Type: File Object Name: C:\Users\Administrator\Desktop\AuditTest\F1
> Handle ID: 0x1238 Resource Attributes: - Process Information: Process ID:
> 0xa3c Process Name: C:\Windows\explorer.exe Access Request Information:
> Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses:
> READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by
> Ownership ReadAttributes: Granted by D:(A;OICIID;FA;;;WD) Access Mask:
> 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0
>
>
OSSEC log from a windows agent
> 2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624):
> Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An
> account was successfully logged on. Subject: Security ID: S-1-5-18
> Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7
> Logon Type: 2 New Logon: Security ID:
> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
> Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID:
> {00000000-0000-0000-0000-000000000000} Process Information: Process ID:
> 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network
> Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1
> Source Port: 0 Detailed Authentication Information: Logon Process:
> User32 Authentication Package: Negotiate Transited Services: - Package
> Name (NTLM only): - Key Length: 0 This event is generated when a logon
> session is created. It is generated on the computer that was accessed.
>
>
My question in other words should probably be, how is the format of a
Windows log expected by OSSEC from a Windows agent? As you can see not all
fields are in the same location as the last sample of the OSSEC log, and
this is why I am encountering difficulty in creating a proper custom
decoder for Windows.
Cheers,
George
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
