On Mon, Feb 20, 2017 at 6:08 AM, Casimiro <[email protected]> wrote: > Version 2.8 > > Events: > > WinEvtLog: Security: AUDIT_FAILURE(5152): > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The Windows > Filtering Platform blocked a packet. Application Information: Process ID: 0 > Application Name: - Network Information: Direction: %%14952 Source Address: > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time ID: > 70713 Layer Name: %%14597 Layer Run-Time ID:13 > > I want to exctract source Ip in addiction to status id, extra_data, srcuser, > system_name original fields extracted form original Windows decoder. >
This works with the latest master: <decoder name="windows1"> <parent>windows</parent> <regex>Source Address: (\S+)</regex> <order>srcip</order> </decoder> > Thanks > > > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: >> >> I'm trying to override the windows decoder to extract more fields (in >> local_decoder.xml), like source ip, destination ip, source port, >> >> This is my local decoder for windows >> >> <decoder name="windows-audit"> >> <parent>windows</parent> >> <prematch>AUDIT_FAILURE(51512)</prematch> >> <regex offset="after_parent">Source >> Address:\s+(\d+.\d+.\d+.\d+)</regex> >> <order>srcip</order> >> </decoder> >> >> When I put new decoder en local_decoder.xml. The windows log don't match >> with windows parent decoder. If I take off the local decoder then log match >> with windows parent decoder. >> >> I want to get all fields: parent fields + soon fields (in this case >> status, id, extra_data, srcuser, system_name and srcip) >> >> Thanks in advanced >> >> >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
