On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth <[email protected]> wrote: > Dear Group! > > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from > Windows Event Log from its own log source. I've also enabled logall option. > Logtest working. Im currently getting and parsing the logs but I miss > additional informations. Seems like the log is incomplete also in > archives.log. > > Here is my config, decoder, rule snippet: > > <agent_config> > <localfile> > <location>MSExchange Management</location> > <log_format>eventlog</log_format> > </localfile> > </agent_config> > > A simple decoder: > > <decoder name="MSExchange"> > <prematch>MSExchange Management:</prematch> > </decoder> > > A simple rule: > > <group name="msexchange"> > <rule id="100111" level="0"> > <decoded_as>MSExchange</decoded_as> > <description>Exchange Alert</description> > </rule> > > <rule id="100112" level="0"> > <if_sid>18101</if_sid> > <match>MSExchange Management: INFORMATION</match> > <description>Exchange information</description> > </rule> > > <rule id="100115" level="1"> > <if_sid>100112</if_sid> > <match>Add-MailboxPermission</match> > <description>Malibox permission changed</description> > </rule> > </group> > > The alert output is: > > Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: > "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME: > "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) > 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: > MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no > domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, > parameters {Identity=OU/mailbox - mailbox, User=domain\user, > AccessRights={FullAccess}}. [END]"; > > according to the custom output in ossec.conf: > > <custom_alert_output>Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > "[INIT]$FULLLOG[END]"; </custom_alert_output> > <logall>yes</logall> > > The raw source in EvtLog in XML view: > > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> > - <System> > <Provider Name="MSExchange CmdletLogs" /> > <EventID Qualifiers="16384">1</EventID> > <Level>4</Level> > <Task>1</Task> > <Keywords>0x80000000000000</Keywords> > <TimeCreated SystemTime="2017-08-09T07:30:55.000000000Z" /> > <EventRecordID>14236</EventRecordID> > <Channel>MSExchange Management</Channel> > <Computer>hostname</Computer> > <Security /> > </System> > - <EventData> > <Data>Add-MailboxPermission</Data> > <Data>{Identity=domain/OU/mailbox - mailbox, User=domain\user, > AccessRights={FullAccess}}</Data> > <Data>domain/Admins/neededusername</Data> > <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data> > <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data> > <Data>ServerRemoteHost-EMC</Data> > <Data>6824</Data> > <Data /> > <Data>62</Data> > <Data>00:00:00.1093778</Data> > <Data>View Entire Forest: 'True', Configuration Domain Controller: > 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain > Controllers: '{ dc-host }'</Data> > <Data /> > <Data /> > <Data /> > </EventData> > </Event> > > What can I do in order to extract especially the 3rd <Data> field (or all) > and show in logs? >
Can you share a log sample from archives.log? > Thanks in advance! > > Cheers, > > Tibor > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
