Hi Ian,
change the decoders could be a harmful process. Keep in mind that if you
change something in /var/ossec/rules, it will be overwritten during an
update.
Wazuh has created the *decoder_exclude* to simulate the *overwrite *option
existing in rules but not in decoders. Take a look at the
On Thu, Jul 6, 2017 at 9:52 PM, Ian Brown wrote:
> Dan,
>
> Apparently it isn't compatible:
>
> ../bin/ossec-logtest -v
> 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for
> decoder 'decoder'
> 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration
Dan,
Apparently it isn't compatible:
../bin/ossec-logtest -v
2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for
decoder 'decoder'
2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at
'/etc/decoder.xml'. Exiting.
On 7/6/2017 6:48 PM, dan (ddp) wrote:
On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown wrote:
> Dan,
>
> It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso).
>
> ./ossec-logtest -V
>
> OSSEC HIDS v2.8 - Trend Micro Inc.
>
> This program is free software; you can redistribute it and/or modify
> it
On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown wrote:
> Dan, that matches for the source and destination IP addresses, but if I
> understand logtest's "Phase 2" output correctly, using those additional
> decoders drops all the other things that the original windows decoder found:
On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote:
> There is a decoder that isn't quite handling some log entries the want I
> need. I want to augment an existing decoder, but apparently I'm not doing
> this correctly.
> Here's an example log entry:
> 2017 Jul 03 11:17:37
There is a decoder that isn't quite handling some log entries the want I
need. I want to augment an existing decoder, but apparently I'm not doing
this correctly.
Here's an example log entry:
2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152):
Microsoft-Windows-Security-Auditing: