Delving into Sysmon event log parsing reveals just how monumental a task it is
to parse out useful information from Windows event logs. The challenge is that
nearly each and every Event ID has a different log format, which essentially
means that almost every Event ID needs its own decoder... I may be waxing a
little dramatic here, but the point is that to properly parse Windows logs, the
original decoder needs to be made more generic and LOTS more child decoders
need to be developed. At least, that is the approach I took, personally. Maybe
I’m totally off base. Been testing it for a few months and it seems to work OK,
but I haven’t done any auditing to see if I’ve broken anything. Anyway, here’s
what I did and what works for me at the moment. If you go this route, you’ll
need to comment out the original windows decoder in /var/ossec/etc/decoder.xml
(and whatever else sysmon-related might have made it in there since last I
looked; I’m not running the latest beta). I put these in local_decoder.xml:
<decoder name="windows">
<type>windows</type>
<prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
</prematch>
</decoder>
<decoder name="windows-defaultlogs">
<parent>windows</parent>
<type>windows</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^Application: |^Security: |^System:
</prematch>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>
<decoder name="windows-sysmon-eventID1">
<parent>windows</parent>
<type>windows</type>
<prematch offset="after_parent">^Microsoft-Windows-Sysmon/Operational:
INFORMATION\(1\)</prematch>
<regex offset="after_parent">^Microsoft-Windows-Sysmon/Operational:
(\w+)\((\d)\): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: (\S+): Process
Create: \.+ ProcessId: \d+ Image: (\.*) CommandLine: \.*</regex>
<regex> User: (\.*) LogonGuid: \S* LogonId: \S* TerminalSessionId:
\d* IntegrityLevel: \w* Hashes: \w+=(\w*) ParentProcessGuid: \S*
ParentProcessID: \S* ParentImage: (\.+)</regex>
<order>status, id, system_name, dstuser, srcuser, url, extra_data,
extra_data</order>
</decoder>
Put this in your local_rules.xml:
<rule id="184600" level="1">
<if_sid>18101</if_sid>
<id>^1$</id>
<description>Sysmon Process Launch Event</description>
</rule>
If you haven’t done so already, it is always helpful to enable logall mode when
you’re working on new decoders. This will retain a copy of every single log
line sent to your OSSEC manager. In your ossec.conf on the manager, put
<logall>yes</logall> in a global tag somewhere and restart the service. You
will now have a record of all logs sent to the manager, not just those that
generate alerts. The current day’s archival logs are in
/var/ossec/logs/archives/archives.log. Note that in order to run these
particular logs through ossec-logtest, you’ll need to remove a prepended bit of
text. So, edit a log entry like this:
2016 Jul 29 08:33:17 (hostname) 100.200.123.123->WinEvtLog 2016 Jul 29 08:36:08
WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: hostname.subdomain.domain.tld:
Process Create: UtcTime: 2016-07-29 15:36:08.268 ProcessGuid:
{A560AB96-77E8-579B-0000-0010B7B17E50} ProcessId: 50292 Image: C:\Program
Files (x86)\KeePass Password Safe 2\KeePass.exe CommandLine: "C:\Program Files
(x86)\KeePass Password Safe 2\KeePass.exe" CurrentDirectory: C:\Program Files
(x86)\KeePass Password Safe 2\ User: domain\username LogonGuid:
{A560AB96-40DE-578E-0000-00209886AB02} LogonId: 0x2AB8698 TerminalSessionId:
1 IntegrityLevel: Medium Hashes:
SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid:
{A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
to become:
2016 Jul 29 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
hostname.subdomain.domain.tld: Process Create: UtcTime: 2016-07-29
15:36:08.268 ProcessGuid: {A560AB96-77E8-579B-0000-0010B7B17E50} ProcessId:
50292 Image: C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe
CommandLine: "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe"
CurrentDirectory: C:\Program Files (x86)\KeePass Password Safe 2\ User:
domain\username LogonGuid: {A560AB96-40DE-578E-0000-00209886AB02} LogonId:
0x2AB8698 TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid:
{A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
before copy/pasting into ossec-logtest. This is the best way to go about
testing an eventchannel log. You get to see exactly what is decoded and which
rules are triggered.
From: [email protected] [mailto:[email protected]] On
Behalf Of Craig
Sent: Thursday, July 28, 2016 8:24 PM
To: ossec-list <[email protected]>
Subject: [ossec-list] eventchannel decoder testing
I am currently running 2.9RC2 on both client and server:
What is the best way to go about testing an eventchannel log? I have the
following set in my local ossec.conf on my windows agent:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
I am using the default sysmon decoder included on my server:
<decoder name="Sysmon-EventID#1">
<type>windows</type>
<prematch>INFORMATION\(1\)</prematch>
<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User: (\.*)
\s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel:
\.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID:
\S* \s*ParentImage: (\.*) \s*ParentCommandLine:</regex>
<order>status,user,url,data</order>
</decoder>
I modified the default sysmon rule so that I would capture all process creates
by setting the level to 1:
<rule id="184700" level="1">
<if_sid>18100</if_sid>
<description>Sysmon - Process Create Event</description>
</rule>
I would think that i would now see all process creates in my alerts.log but
unfortunately I don't see any sysmon events at all. Any idea on the best way to
troubleshoot this? Thank you!
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected]
<mailto:[email protected]> .
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
