Hello, I am looking for guidance on how to approach decoding the following events in XML with Wazuh.
Raw format: <?xml version="1.0" encoding="UTF-8"?> <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd";> <Version>11.2</Version> <AuditRecord><Audit_Type>1</Audit_Type><Session_Id>108590</Session_Id><StatementId>1</StatementId><EntryId>1</EntryId><Extended_Timestamp>2018-02-06T20:41:03.382000Z</Extended_Timestamp><DB_User>SYSTEM</DB_User><OS_User>NT AUTHORITY\SYSTEM</OS_User><Userhost>WORKGROUP\Marksman-TEST</Userhost><OS_Process>780:1584</OS_Process><Terminal>Marksman-TEST</Terminal><Instance_Number>0</Instance_Number><Action>100</Action><TransactionId>0000000000000000</TransactionId><Returncode>0</Returncode><Comment_Text>Authenticated by: DATABASE</Comment_Text><Priv_Used>5</Priv_Used><DBID>4045712141</DBID> </AuditRecord> <AuditRecord><Audit_Type>1</Audit_Type><Session_Id>108590</Session_Id><EntryId>2</EntryId><Extended_Timestamp>2018-02-06T20:41:03.386000Z</Extended_Timestamp><DB_User>SYSTEM</DB_User><OS_User>NT AUTHORITY\SYSTEM</OS_User><Userhost>WORKGROUP\Marksman-TEST</Userhost><OS_Process>780:1584</OS_Process><Terminal>Marksman-TEST</Terminal><Instance_Number>0</Instance_Number><Action>101</Action><Returncode>0</Returncode><DBID>4045712141</DBID> </AuditRecord> </Audit> By field format: <?xml version="1.0" encoding="UTF-8"?> <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd";> <Version>11.2</Version> <AuditRecord> <Audit_Type>1</Audit_Type> <Session_Id>109109</Session_Id> <StatementId>1</StatementId> <EntryId>1</EntryId> <Extended_Timestamp>2018-02-06T20:45:17.820000Z</Extended_Timestamp> <DB_User>SYSTEM</DB_User> <OS_User>NT AUTHORITY\SYSTEM</OS_User> <Userhost>WORKGROUP\Marksman-TEST</Userhost> <OS_Process>780:172</OS_Process> <Terminal>Marksman-TEST</Terminal> <Instance_Number>0</Instance_Number> <Action>100</Action> <TransactionId>0000000000000000</TransactionId> <Returncode>0</Returncode> <Comment_Text>Authenticated by: DATABASE</Comment_Text> <Priv_Used>5</Priv_Used> <DBID>4045712141</DBID> </AuditRecord> <AuditRecord> <Audit_Type>1</Audit_Type> <Session_Id>109109</Session_Id> <EntryId>2</EntryId> <Extended_Timestamp>2018-02-06T20:45:17.824000Z</Extended_Timestamp> <DB_User>SYSTEM</DB_User> <OS_User>NT AUTHORITY\SYSTEM</OS_User> <Userhost>WORKGROUP\Marksman-TEST</Userhost> <OS_Process>780:172</OS_Process> <Terminal>Marksman-TEST</Terminal> <Instance_Number>0</Instance_Number> <Action>101</Action> <Returncode>0</Returncode> <DBID>4045712141</DBID> </AuditRecord> </Audit> 1. This is the content of a single log file 2. Getting 1-4 of these per second with a dynamic file name for each file. 3. Every file is 40 lines long 4. Every log entry has two <AuditRecord> sections Any help on getting started would be greatly appreciated. Thank you in advance!! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
