Great, thank you. That does help troubleshoot. So, I do have a follow up
question. Here is the default decoder:
<decoder name="Sysmon-EventID#1">
<type>windows</type>
<prematch>INFORMATION\(1\)</prematch>
<regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User:
(\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
\s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid:
\S* \s*ParentProcessID: \S* \s*ParentImage: (\.*)
\s*ParentCommandLine:</regex>
<order>status,user,url,data</order>
</decoder>
However, when I remove the prepended data from my archives.log file and
send it through logtest, the decoder doesn't work (if I leave the prepended
data there, the decoder works). Any ideas why this might be happening? See
below for my logtest:
*Prepended Data Removed:*
**Phase 1: Completed pre-decoding.
full event: '2016 Jul 29 22:32:24 WinEvtLog:
Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
hostname: 'ubuntu-srv1'
program_name: 'WinEvtLog'
log: 'Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
***Phase 2: Completed decoding.*
* No decoder matched.*
*Prepended Data Intact:*
**Phase 1: Completed pre-decoding.
full event: '2016 Jul 29 22:32:25 (WIN7-X64-PC1)
172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog:
Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
hostname: '(WIN7-X64-PC1)'
program_name: '(null)'
log: '172.16.213.5->WinEvtLog 2016 Jul 29 22:32:24 WinEvtLog:
Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: Win7-x64-PC1.hackme.local:
Process Create: UtcTime: 2016-07-30 03:32:24.846 ProcessGuid:
{67C360F4-1FC8-579C-0000-001017F41E00} ProcessId: 3988 Image:
C:\Users\administrator\Desktop\svchost.exe CommandLine:
"C:\Users\administrator\Desktop\svchost.exe" CurrentDirectory:
C:\Users\administrator\Desktop\ User: HACKME\Administrator LogonGuid:
{67C360F4-1C55-579C-0000-00206BBC0600} LogonId: 0x6bc6b
TerminalSessionId: 1 IntegrityLevel: High Hashes:
MD5=C019D10F80409FC4C7D45EBFA48B0076 ParentProcessGuid:
{67C360F4-1C57-579C-0000-001092EC0600} ParentProcessId: 3056 ParentImage:
C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE'
***Phase 2: Completed decoding.*
* decoder: 'Sysmon-EventID#1'*
On Friday, July 29, 2016 at 11:22:46 AM UTC-5, LostInThe Tubez wrote:
>
> Delving into Sysmon event log parsing reveals just how monumental a task
> it is to parse out useful information from Windows event logs. The
> challenge is that nearly each and every Event ID has a different log
> format, which essentially means that almost every Event ID needs its own
> decoder... I may be waxing a little dramatic here, but the point is that to
> properly parse Windows logs, the original decoder needs to be made more
> generic and LOTS more child decoders need to be developed. At least, that
> is the approach I took, personally. Maybe I’m totally off base. Been
> testing it for a few months and it seems to work OK, but I haven’t done any
> auditing to see if I’ve broken anything. Anyway, here’s what I did and what
> works for me at the moment. If you go this route, you’ll need to comment
> out the original windows decoder in /var/ossec/etc/decoder.xml (and
> whatever else sysmon-related might have made it in there since last I
> looked; I’m not running the latest beta). I put these in local_decoder.xml:
>
>
>
> <decoder name="windows">
>
> <type>windows</type>
>
> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog:
> |^WinEvtLog: </prematch>
>
> </decoder>
>
>
>
> <decoder name="windows-defaultlogs">
>
> <parent>windows</parent>
>
> <type>windows</type>
>
> <use_own_name>true</use_own_name>
>
> <prematch offset="after_parent">^Application: |^Security:
> |^System: </prematch>
>
> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
>
> <regex>(\.+): \.+: (\S+): </regex>
>
> <order>status, id, extra_data, user, system_name</order>
>
> <fts>name, location, user, system_name</fts>
>
> </decoder>
>
>
>
> <decoder name="windows-sysmon-eventID1">
>
> <parent>windows</parent>
>
> <type>windows</type>
>
> <prematch
> offset="after_parent">^Microsoft-Windows-Sysmon/Operational:
> INFORMATION\(1\)</prematch>
>
> <regex
> offset="after_parent">^Microsoft-Windows-Sysmon/Operational: (\w+)\((\d)\):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY: (\S+): Process Create: \.+
> ProcessId: \d+ Image: (\.*) CommandLine: \.*</regex>
>
> <regex> User: (\.*) LogonGuid: \S* LogonId: \S*
> TerminalSessionId: \d* IntegrityLevel: \w* Hashes: \w+=(\w*)
> ParentProcessGuid: \S* ParentProcessID: \S* ParentImage: (\.+)</regex>
>
> <order>status, id, system_name, dstuser, srcuser, url, extra_data,
> extra_data</order>
>
> </decoder>
>
>
>
>
>
> Put this in your local_rules.xml:
>
> <rule id="184600" level="1">
>
> <if_sid>18101</if_sid>
>
> <id>^1$</id>
>
> <description>Sysmon Process Launch Event</description>
>
> </rule>
>
>
>
> If you haven’t done so already, it is always helpful to enable logall mode
> when you’re working on new decoders. This will retain a copy of every
> single log line sent to your OSSEC manager. In your ossec.conf on the
> manager, put <logall>yes</logall> in a global tag somewhere and restart the
> service. You will now have a record of all logs sent to the manager, not
> just those that generate alerts. The current day’s archival logs are in
> /var/ossec/logs/archives/archives.log. Note that in order to run these
> particular logs through ossec-logtest, you’ll need to remove a prepended
> bit of text. So, edit a log entry like this:
>
>
>
> 2016 Jul 29 08:33:17 (hostname) 100.200.123.123->WinEvtLog 2016 Jul 29
> 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational: INFORMATION(1):
> Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> hostname.subdomain.domain.tld: Process Create: UtcTime: 2016-07-29
> 15:36:08.268 ProcessGuid: {A560AB96-77E8-579B-0000-0010B7B17E50}
> ProcessId: 50292 Image: C:\Program Files (x86)\KeePass Password Safe
> 2\KeePass.exe CommandLine: "C:\Program Files (x86)\KeePass Password Safe
> 2\KeePass.exe" CurrentDirectory: C:\Program Files (x86)\KeePass Password
> Safe 2\ User: domain\username LogonGuid:
> {A560AB96-40DE-578E-0000-00209886AB02} LogonId: 0x2AB8698
> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
> SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid:
> {A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage:
> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
>
>
>
> to become:
>
> 2016 Jul 29 08:36:08 WinEvtLog: Microsoft-Windows-Sysmon/Operational:
> INFORMATION(1): Microsoft-Windows-Sysmon: SYSTEM: NT AUTHORITY:
> hostname.subdomain.domain.tld: Process Create: UtcTime: 2016-07-29
> 15:36:08.268 ProcessGuid: {A560AB96-77E8-579B-0000-0010B7B17E50}
> ProcessId: 50292 Image: C:\Program Files (x86)\KeePass Password Safe
> 2\KeePass.exe CommandLine: "C:\Program Files (x86)\KeePass Password Safe
> 2\KeePass.exe" CurrentDirectory: C:\Program Files (x86)\KeePass Password
> Safe 2\ User: domain\username LogonGuid:
> {A560AB96-40DE-578E-0000-00209886AB02} LogonId: 0x2AB8698
> TerminalSessionId: 1 IntegrityLevel: Medium Hashes:
> SHA1=5F5AC91EB83EFB6C4171AFF9EC1ED98EBA1C6A6C ParentProcessGuid:
> {A560AB96-40E0-578E-0000-0010285AAC02} ParentProcessId: 7540 ParentImage:
> C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
>
>
>
> before copy/pasting into ossec-logtest. This is the best way to go about
> testing an eventchannel log. You get to see exactly what is decoded and
> which rules are triggered.
>
>
>
>
>
> *From:* [email protected] <javascript:> [mailto:
> [email protected] <javascript:>] *On Behalf Of *Craig
> *Sent:* Thursday, July 28, 2016 8:24 PM
> *To:* ossec-list <[email protected] <javascript:>>
> *Subject:* [ossec-list] eventchannel decoder testing
>
>
>
> I am currently running 2.9RC2 on both client and server:
>
>
>
> What is the best way to go about testing an eventchannel log? I have the
> following set in my local ossec.conf on my windows agent:
>
>
>
> <localfile>
>
> <location>Microsoft-Windows-Sysmon/Operational</location>
>
> <log_format>eventchannel</log_format>
>
> </localfile>
>
>
>
> I am using the default sysmon decoder included on my server:
>
>
>
> <decoder name="Sysmon-EventID#1">
>
> <type>windows</type>
>
> <prematch>INFORMATION\(1\)</prematch>
>
> <regex offset="after_prematch">Image: (\.*) \s*CommandLine: \.* \s*User:
> (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S*
> \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid:
> \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*)
> \s*ParentCommandLine:</regex>
>
> <order>status,user,url,data</order>
>
> </decoder>
>
>
>
> I modified the default sysmon rule so that I would capture all process
> creates by setting the level to 1:
>
>
>
> <rule id="184700" level="1">
>
> <if_sid>18100</if_sid>
>
> <description>Sysmon - Process Create Event</description>
>
> </rule>
>
>
>
>
>
> I would think that i would now see all process creates in my alerts.log
> but unfortunately I don't see any sysmon events at all. Any idea on the
> best way to troubleshoot this? Thank you!
>
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected] <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
