On Sun, Sep 23, 2018 at 11:20 PM Khoa Phạm Anh <[email protected]> wrote:
>
> HI Dan! I have updated your decoder and it worked perfectly then! Thanks so
> much for helping me.
>
> Another issue that about MS_EXCHANGE IIS LOG:
> This is the all the field:
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username
> c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status
> time-taken
>
> Here is my log:
> 2018-09-16 00:00:09 xxx.xxx.31.24 POST
> /Microsoft-Server-ActiveSync/default.eas
> User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c;
> 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557
>
> My iis log decode now is:
> <decoder name="web-accesslog-iis-default">
> <parent>windows-date-format</parent>
> <type>web-log</type>
> <use_own_name>true</use_own_name>
> <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
> <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+)
> \.*(\d\d\d) </regex>
> <order>action, url, srcport, srcip, user_agent, id</order>
> </decoder>
>
> and the Result for the log decoded above:
>
> **Phase 2: Completed decoding.
> decoder: 'windows-date-format'
> action: 'POST'
> url: '/Microsoft-Server-ActiveSync/default.eas
> User=thangdn&DeviceId=I51HJHEMND20F9QFEPSU7LT5F8&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=ZSMLJBRL0YTICIUBVOUG&cafeReqId=83f425f6-653b-405b-b9a0-c0e51f47e21a;'
> srcport: '443'
> srcip: 'xxx.xxx.57.151'
> user_agent: 'Apple-iPhone10C5/1507.77'
> id: '200'
> ===> I need to parse out the field IP xxx.xxx.31.24 and the User:
> domainname\tientx but i failed many times.
>
> 2018-09-16 00:00:09 xxx.xxx.31.24 POST
> /Microsoft-Server-ActiveSync/default.eas
> User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c;
> 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557
>
<decoder name="web-accesslog-iis-default">
<parent>windows-date-format</parent>
<type>web-log</type>
<use_own_name>true</use_own_name>
<prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
<regex offset="after_parent">^(\S+) (\w+) (\S+ \S+) (\S+) (\S+)
(\S+) (\S+) \.*(\d\d\d) </regex>
<order>dstip, action, url, srcport, user, srcip, user_agent, id</order>
</decoder>
**Phase 1: Completed pre-decoding.
full event: '2018-09-16 00:00:09 xxx.xxx.31.24 POST
/Microsoft-Server-ActiveSync/default.eas
User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c;
443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0
580557'
hostname: 'rossak'
program_name: '(null)'
log: '2018-09-16 00:00:09 xxx.xxx.31.24 POST
/Microsoft-Server-ActiveSync/default.eas
User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c;
443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0
580557'
**Phase 2: Completed decoding.
decoder: 'windows-date-format'
dstip: 'xxx.xxx.31.24'
action: 'POST'
url: '/Microsoft-Server-ActiveSync/default.eas
User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c;'
srcport: '443'
dstuser: 'domainname\tientx'
srcip: 'xxx.xxx.39.89'
dstuser: 'Apple-iPhone8C1/1501.402'
id: '200'
**Phase 3: Completed filtering (rules).
Rule id: '31108'
Level: '0'
Description: 'Ignored URLs (simple queries).'
> Can you help me to check it Dan!
>
> Thanks and Best Regards
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
