On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth <tibor...@gmail.com> wrote:
> Dear Group!
>
> I've tried to parse MSExchande Management / MSExchange Cmdlet logs from
> Windows Event Log from its own log source. I've also enabled logall option.
> Logtest working. Im currently getting and parsing the logs but I miss
> additional informations. Seems like the log is incomplete also in
> archives.log.
>
> Here is my config, decoder, rule snippet:
>
> <agent_config>
>     <localfile>
>     <location>MSExchange Management</location>
>     <log_format>eventlog</log_format>
>   </localfile>
> </agent_config>
>
> A simple decoder:
>
> <decoder name="MSExchange">
> <prematch>MSExchange Management:</prematch>
> </decoder>
>
> A simple rule:
>
> <group name="msexchange">
>         <rule id="100111" level="0">
>         <decoded_as>MSExchange</decoded_as>
>         <description>Exchange Alert</description>
>         </rule>
>
>         <rule id="100112" level="0">
>         <if_sid>18101</if_sid>
>         <match>MSExchange Management: INFORMATION</match>
>         <description>Exchange information</description>
>         </rule>
>
>         <rule id="100115" level="1">
>         <if_sid>100112</if_sid>
>         <match>Add-MailboxPermission</match>
>         <description>Malibox permission changed</description>
>         </rule>
> </group>
>
> The alert output is:
>
> Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC:
> "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
> "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname)
> 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog:
> MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no
> domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission,
> parameters {Identity=OU/mailbox - mailbox, User=domain\user,
> AccessRights={FullAccess}}.  [END]";
>
> according to the custom output in ossec.conf:
>
> <custom_alert_output>Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
> "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP:
> "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
> "[INIT]$FULLLOG[END]"; </custom_alert_output>
> <logall>yes</logall>
>
> The raw source in EvtLog in XML view:
>
> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
> - <System>
>   <Provider Name="MSExchange CmdletLogs" />
>   <EventID Qualifiers="16384">1</EventID>
>   <Level>4</Level>
>   <Task>1</Task>
>   <Keywords>0x80000000000000</Keywords>
>   <TimeCreated SystemTime="2017-08-09T07:30:55.000000000Z" />
>   <EventRecordID>14236</EventRecordID>
>   <Channel>MSExchange Management</Channel>
>   <Computer>hostname</Computer>
>   <Security />
>   </System>
> - <EventData>
>   <Data>Add-MailboxPermission</Data>
>   <Data>{Identity=domain/OU/mailbox - mailbox, User=domain\user,
> AccessRights={FullAccess}}</Data>
>   <Data>domain/Admins/neededusername</Data>
>   <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
>   <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
>   <Data>ServerRemoteHost-EMC</Data>
>   <Data>6824</Data>
>   <Data />
>   <Data>62</Data>
>   <Data>00:00:00.1093778</Data>
>   <Data>View Entire Forest: 'True', Configuration Domain Controller:
> 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain
> Controllers: '{ dc-host }'</Data>
>   <Data />
>   <Data />
>   <Data />
>   </EventData>
>   </Event>
>
> What can I do in order to extract especially the 3rd <Data> field (or all)
> and show in logs?
>

Can you share a log sample from archives.log?

> Thanks in advance!
>
> Cheers,
>
> Tibor
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to