Dear Group!
I've tried to parse MSExchande Management / MSExchange Cmdlet logs from
Windows Event Log from its own log source. I've also enabled logall option.
Logtest working. Im currently getting and parsing the logs but I miss
additional informations. Seems like the log is incomplete also in
archives.log.
Here is my config, decoder, rule snippet:
<agent_config>
<localfile>
<location>MSExchange Management</location>
<log_format>eventlog</log_format>
</localfile>
</agent_config>
A simple decoder:
<decoder name="MSExchange">
<prematch>MSExchange Management:</prematch>
</decoder>
A simple rule:
<group name="msexchange">
<rule id="100111" level="0">
<decoded_as>MSExchange</decoded_as>
<description>Exchange Alert</description>
</rule>
<rule id="100112" level="0">
<if_sid>18101</if_sid>
<match>MSExchange Management: INFORMATION</match>
<description>Exchange information</description>
</rule>
<rule id="100115" level="1">
<if_sid>100112</if_sid>
<match>Add-MailboxPermission</match>
<description>Malibox permission changed</description>
</rule>
</group>
The alert output is:
Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: "Malibox
permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
"(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname)
10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog:
MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no
domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission,
parameters {Identity=OU/mailbox - mailbox, User=domain\user,
AccessRights={FullAccess}}. [END]";
according to the custom output in ossec.conf:
<custom_alert_output>Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER";
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
"[INIT]$FULLLOG[END]"; </custom_alert_output>
<logall>yes</logall>
The raw source in EvtLog in XML view:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
- <System>
<Provider Name="MSExchange CmdletLogs" />
<EventID Qualifiers="16384">1</EventID>
<Level>4</Level>
<Task>1</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-08-09T07:30:55.000000000Z" />
<EventRecordID>14236</EventRecordID>
<Channel>MSExchange Management</Channel>
<Computer>hostname</Computer>
<Security />
</System>
- <EventData>
<Data>Add-MailboxPermission</Data>
<Data>{Identity=domain/OU/mailbox - mailbox, User=domain\user,
AccessRights={FullAccess}}</Data>
<Data>domain/Admins/neededusername</Data>
<Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
<Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
<Data>ServerRemoteHost-EMC</Data>
<Data>6824</Data>
<Data />
<Data>62</Data>
<Data>00:00:00.1093778</Data>
<Data>View Entire Forest: 'True', Configuration Domain Controller:
'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain
Controllers: '{ dc-host }'</Data>
<Data />
<Data />
<Data />
</EventData>
</Event>
What can I do in order to extract especially the 3rd <Data> field (or all)
and show in logs?
Thanks in advance!
Cheers,
Tibor
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
