On Wed, May 18, 2016 at 10:47 AM, Issam Aouad Tabet <[email protected]> wrote: > Hey everyone, > > I am windering if anyone can help me with these two questions: > > 1. I am using ossec-logtest file to test my rules in order to match with > some Windows logs. Does anyone know in which order are the rules tested? > It seems it is not ID number order.. > > 2. Here is the default predefined rule that mathes all windows events: > <group name="windows,"> > <rule id="18100" level="6"> > <category>windows</category> > <description>Group of windows rules.</description> > </rule> > > How is this being linked with windows events logs decoder in > ossec/etc/decoder.xml? Can anyone explain why is this matching all windows > events? Is it through the category tag? Because there is no "match" tag.. >
Yes, it's the category tag. Here's the windows decoder: <decoder name="windows"> <type>windows</type> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> The <type> option sets log messages that match that decoder to "windows." The rules use that as a category. So basically anything that matches the windows decoder should automagically trigger rule 18100. This is preferable to just matching the decoder, because a number of decoders can set the same type. > Thanks a lot!! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
