Dear Group!

I've tried to parse MSExchande Management / MSExchange Cmdlet logs from 
Windows Event Log from its own log source. I've also enabled logall option. 
Logtest working. Im currently getting and parsing the logs but I miss 
additional informations. Seems like the log is incomplete also in 
archives.log.

Here is my config, decoder, rule snippet:

<agent_config>
    <localfile>
    <location>MSExchange Management</location>
    <log_format>eventlog</log_format>
  </localfile>
</agent_config>

A simple decoder:

<decoder name="MSExchange">
<prematch>MSExchange Management:</prematch>
</decoder>

A simple rule:

<group name="msexchange">
        <rule id="100111" level="0">
        <decoded_as>MSExchange</decoded_as>
        <description>Exchange Alert</description>
        </rule>

        <rule id="100112" level="0">
        <if_sid>18101</if_sid>
        <match>MSExchange Management: INFORMATION</match>
        <description>Exchange information</description>
        </rule>

        <rule id="100115" level="1">
        <if_sid>100112</if_sid>
        <match>Add-MailboxPermission</match>
        <description>Malibox permission changed</description>
        </rule>
</group>

The alert output is:

Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: "Malibox 
permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME: 
"(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) 
10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: 
MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no 
domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, 
parameters {Identity=OU/mailbox - mailbox, User=domain\user, 
AccessRights={FullAccess}}.  [END]";

according to the custom output in ossec.conf:

<custom_alert_output>Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: 
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; 
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: 
"[INIT]$FULLLOG[END]"; </custom_alert_output>
<logall>yes</logall>

The raw source in EvtLog in XML view:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
- <System>
  <Provider Name="MSExchange CmdletLogs" /> 
  <EventID Qualifiers="16384">1</EventID> 
  <Level>4</Level> 
  <Task>1</Task> 
  <Keywords>0x80000000000000</Keywords> 
  <TimeCreated SystemTime="2017-08-09T07:30:55.000000000Z" /> 
  <EventRecordID>14236</EventRecordID> 
  <Channel>MSExchange Management</Channel> 
  <Computer>hostname</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data>Add-MailboxPermission</Data> 
  <Data>{Identity=domain/OU/mailbox - mailbox, User=domain\user, 
AccessRights={FullAccess}}</Data> 
  <Data>domain/Admins/neededusername</Data> 
  <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data> 
  <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data> 
  <Data>ServerRemoteHost-EMC</Data> 
  <Data>6824</Data> 
  <Data /> 
  <Data>62</Data> 
  <Data>00:00:00.1093778</Data> 
  <Data>View Entire Forest: 'True', Configuration Domain Controller: 
'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain 
Controllers: '{ dc-host }'</Data> 
  <Data /> 
  <Data /> 
  <Data /> 
  </EventData>
  </Event>

What can I do in order to extract especially the 3rd <Data> field (or all) 
and show in logs?

Thanks in advance!

Cheers,

Tibor

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to