Hi George,
how is the format of a Windows log expected by OSSEC from a Windows agent?
Your last example is the format. Try wiht ossec-logtest:
2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-
Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An account was
successfully logged on. Subject: Security ID: S-1-5-18 Account Name:
WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 2
New Logon: Security ID: S-1-5-21-2958751065-1811596663-815683548-500
Account Name: Administrator Account Domain: WIN2012 Logon ID: 0x36294
Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information:
Process ID: 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1
Source Port: 0 Detailed Authentication Information: Logon Process:
User32 Authentication Package: Negotiate Transited Services: - Package
Name (NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.
**Phase 1: Completed pre-decoding.
full event: '2016 Mar 06 13:37:31 WinEvtLog: Security:
AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: Administrator:
WIN2012: WIN2012: An account was successfully logged on. Subject: Security
ID: S-1-5-18 Account Name: WIN2012$ Account Domain: WORKGROUP Logon
ID: 0x3e7 Logon Type: 2 New Logon: Security ID:
S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID:
{00000000-0000-0000-0000-000000000000} Process Information: Process ID:
0x1ac Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1
Source Port: 0 Detailed Authentication Information: Logon Process:
User32 Authentication Package: Negotiate Transited Services: - Package
Name (NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.'
hostname: 'LinMV'
program_name: '(null)'
log: '2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An
account was successfully logged on. Subject: Security ID: S-1-5-18
Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7
Logon Type: 2 New Logon: Security ID:
S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID:
{00000000-0000-0000-0000-000000000000} Process Information: Process ID:
0x1ac Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1
Source Port: 0 Detailed Authentication Information: Logon Process:
User32 Authentication Package: Negotiate Transited Services: - Package
Name (NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.'
**Phase 2: Completed decoding.
decoder: 'windows'
status: 'AUDIT_SUCCESS'
id: '4624'
extra_data: 'Microsoft-Windows-Security-Auditing'
dstuser: 'Administrator'
system_name: 'WIN2012'
**Phase 3: Completed filtering (rules).
Rule id: '100011'
Level: '5'
Description: 'Bad user'
**Alert to be generated.
If you want, you can create specific decoders for other format, but I don't
see why you need that.
Regards.
Jesus Linares.
On Monday, March 7, 2016 at 3:53:39 AM UTC+1, [email protected] wrote:
>
> Hello,
>
> I was wondering if there is a guide on how to write decoders for Windows
> Server 2008 and 2012 Security logs. I am more interested in the standard
> raw Windows log. With UNIX it is very straight forward because of the
> standard syslog output, but Windows without knowing how the raw log entry
> looks like, it seems to be impossible to write the regular expressions
> needed to parse a message. For example on Linux, an auditd log entry has a
> known format:
>
>> /var/log/audit/audit.log:type=USER_START msg=audit(1457067617.649:348):
>> pid=2326 uid=0 auid=1000 ses=1 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
>> msg='op=PAM:session_open
>> grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_keyinit,pam_namespace,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_gnome_keyring
>>
>> acct="master" exe="/usr/libexec/gdm-session-worker" hostname=? addr=?
>> terminal=/dev/tty2 res=success
>>
> while Windows has a different log format. Looking at a Windows Security
> event log in CSV, TXT, XML or event snare the format looks different from
> each other.
>
> Example of the CSV and TXT format of Windows log
>
>> 3/3/2016 5:12:44 PM,Microsoft-Windows-Security-Auditing,5158,Filtering
>> Platform Connection,"The Windows Filtering Platform has permitted a bind to
>> a local port.
>>
>> Application Information:
>> Process ID: 2560
>> Application Name: \device\harddiskvolume2\program files
>> (x86)\ossec-agent\ossec-agent.exe
>>
>> Network Information:
>> Source Address: 0.0.0.0
>> Source Port: 54639
>> Protocol: 17
>>
>> Filter Information:
>> Filter Run-Time ID: 0
>> Layer Name: Resource Assignment
>> Layer Run-Time ID: 36"
>>
>
> Snare sends Windows logs to rsyslog in the following format
>
>> Mar 05 23:26:31 WIN2012 5905 4656 (File System) Security
>> Microsoft-Windows-Security-Auditing WIN2012\Administrator N/A
>> Success Audit A handle to an object was requested. Subject: Security ID:
>> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
>> Account Domain: WIN2012 Logon ID: 0x25CD8 Object: Object Server: Security
>> Object Type: File Object Name: C:\Users\Administrator\Desktop\AuditTest\F1
>> Handle ID: 0x1238 Resource Attributes: - Process Information: Process ID:
>> 0xa3c Process Name: C:\Windows\explorer.exe Access Request Information:
>> Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses:
>> READ_CONTROL ReadAttributes Access Reasons: READ_CONTROL: Granted by
>> Ownership ReadAttributes: Granted by D:(A;OICIID;FA;;;WD) Access Mask:
>> 0x20080 Privileges Used for Access Check: - Restricted SID Count: 0
>>
>>
> OSSEC log from a windows agent
>
>> 2016 Mar 06 13:37:31 WinEvtLog: Security: AUDIT_SUCCESS(4624):
>> Microsoft-Windows-Security-Auditing: Administrator: WIN2012: WIN2012: An
>> account was successfully logged on. Subject: Security ID: S-1-5-18
>> Account Name: WIN2012$ Account Domain: WORKGROUP Logon ID: 0x3e7
>> Logon Type: 2 New Logon: Security ID:
>> S-1-5-21-2958751065-1811596663-815683548-500 Account Name: Administrator
>> Account Domain: WIN2012 Logon ID: 0x36294 Logon GUID:
>> {00000000-0000-0000-0000-000000000000} Process Information: Process ID:
>> 0x1ac Process Name: C:\Windows\System32\winlogon.exe Network
>> Information: Workstation Name: WIN2012 Source Network Address: 127.0.0.1
>> Source Port: 0 Detailed Authentication Information: Logon Process:
>> User32 Authentication Package: Negotiate Transited Services: - Package
>> Name (NTLM only): - Key Length: 0 This event is generated when a logon
>> session is created. It is generated on the computer that was accessed.
>>
>>
> My question in other words should probably be, how is the format of a
> Windows log expected by OSSEC from a Windows agent? As you can see not all
> fields are in the same location as the last sample of the OSSEC log, and
> this is why I am encountering difficulty in creating a proper custom
> decoder for Windows.
>
> Cheers,
> George
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
