Yes,
2017 Aug 09 09:29:02 (hostname) 10.1.0.1->WinEvtLog 2017 Aug 09 09:30:55
WinEvtLog: MSExchange Management: INFORMATION(1): MSExchange CmdletLogs:
(no user): no domain: domain.domain: Cmdlet succeeded. Cmdlet
Add-MailboxPermission, parameters {Identity=OU/mailbox - mailbox,
User=domain\user, AccessRights={FullAccess}}.
It also missing the rest of the logs. :\
Thanks!
2017. augusztus 12., szombat 1:02:21 UTC+2 időpontban dan (ddpbsd) a
következőt írta:
>
> On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth <[email protected]
> <javascript:>> wrote:
> > Dear Group!
> >
> > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from
> > Windows Event Log from its own log source. I've also enabled logall
> option.
> > Logtest working. Im currently getting and parsing the logs but I miss
> > additional informations. Seems like the log is incomplete also in
> > archives.log.
> >
> > Here is my config, decoder, rule snippet:
> >
> > <agent_config>
> > <localfile>
> > <location>MSExchange Management</location>
> > <log_format>eventlog</log_format>
> > </localfile>
> > </agent_config>
> >
> > A simple decoder:
> >
> > <decoder name="MSExchange">
> > <prematch>MSExchange Management:</prematch>
> > </decoder>
> >
> > A simple rule:
> >
> > <group name="msexchange">
> > <rule id="100111" level="0">
> > <decoded_as>MSExchange</decoded_as>
> > <description>Exchange Alert</description>
> > </rule>
> >
> > <rule id="100112" level="0">
> > <if_sid>18101</if_sid>
> > <match>MSExchange Management: INFORMATION</match>
> > <description>Exchange information</description>
> > </rule>
> >
> > <rule id="100115" level="1">
> > <if_sid>100112</if_sid>
> > <match>Add-MailboxPermission</match>
> > <description>Malibox permission changed</description>
> > </rule>
> > </group>
> >
> > The alert output is:
> >
> > Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC:
> > "Malibox permission changed"; USER: "(no user)"; SRCIP: "None";
> HOSTNAME:
> > "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname)
> > 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog:
> > MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user):
> no
> > domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission,
> > parameters {Identity=OU/mailbox - mailbox, User=domain\user,
> > AccessRights={FullAccess}}. [END]";
> >
> > according to the custom output in ossec.conf:
> >
> > <custom_alert_output>Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
> > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER";
> SRCIP:
> > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
> > "[INIT]$FULLLOG[END]"; </custom_alert_output>
> > <logall>yes</logall>
> >
> > The raw source in EvtLog in XML view:
> >
> > - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
> > - <System>
> > <Provider Name="MSExchange CmdletLogs" />
> > <EventID Qualifiers="16384">1</EventID>
> > <Level>4</Level>
> > <Task>1</Task>
> > <Keywords>0x80000000000000</Keywords>
> > <TimeCreated SystemTime="2017-08-09T07:30:55.000000000Z" />
> > <EventRecordID>14236</EventRecordID>
> > <Channel>MSExchange Management</Channel>
> > <Computer>hostname</Computer>
> > <Security />
> > </System>
> > - <EventData>
> > <Data>Add-MailboxPermission</Data>
> > <Data>{Identity=domain/OU/mailbox - mailbox, User=domain\user,
> > AccessRights={FullAccess}}</Data>
> > <Data>domain/Admins/neededusername</Data>
> > <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
> > <Data>S-1-5-21-1916089304-1293223718-2292494036-4672</Data>
> > <Data>ServerRemoteHost-EMC</Data>
> > <Data>6824</Data>
> > <Data />
> > <Data>62</Data>
> > <Data>00:00:00.1093778</Data>
> > <Data>View Entire Forest: 'True', Configuration Domain Controller:
> > 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain
> > Controllers: '{ dc-host }'</Data>
> > <Data />
> > <Data />
> > <Data />
> > </EventData>
> > </Event>
> >
> > What can I do in order to extract especially the 3rd <Data> field (or
> all)
> > and show in logs?
> >
>
> Can you share a log sample from archives.log?
>
> > Thanks in advance!
> >
> > Cheers,
> >
> > Tibor
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
