Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-07 Thread Jesus Linares
Hi Ian, change the decoders could be a harmful process. Keep in mind that if you change something in /var/ossec/rules, it will be overwritten during an update. Wazuh has created the *decoder_exclude* to simulate the *overwrite *option existing in rules but not in decoders. Take a look at the

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Thu, Jul 6, 2017 at 9:52 PM, Ian Brown wrote: > Dan, > > Apparently it isn't compatible: > > ../bin/ossec-logtest -v > 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for > decoder 'decoder' > 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread Ian Brown
Dan, Apparently it isn't compatible: ../bin/ossec-logtest -v 2017/07/07 01:50:33 ossec-analysisd: Invalid element 'accumulate' for decoder 'decoder' 2017/07/07 01:50:33 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. On 7/6/2017 6:48 PM, dan (ddp) wrote:

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Thu, Jul 6, 2017 at 9:08 PM, Ian Brown wrote: > Dan, > > It's what comes in SecurityOnion's latest iso (securityonion-14.04.5.2.iso). > > ./ossec-logtest -V > > OSSEC HIDS v2.8 - Trend Micro Inc. > > This program is free software; you can redistribute it and/or modify > it

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-06 Thread dan (ddp)
On Wed, Jul 5, 2017 at 10:26 PM, Ian Brown wrote: > Dan, that matches for the source and destination IP addresses, but if I > understand logtest's "Phase 2" output correctly, using those additional > decoders drops all the other things that the original windows decoder found:

Re: [ossec-list] What is the best method to augment an existing decoder?

2017-07-05 Thread dan (ddp)
On Mon, Jul 3, 2017 at 2:52 PM, Ian Brown wrote: > There is a decoder that isn't quite handling some log entries the want I > need. I want to augment an existing decoder, but apparently I'm not doing > this correctly. > Here's an example log entry: > 2017 Jul 03 11:17:37

[ossec-list] What is the best method to augment an existing decoder?

2017-07-03 Thread Ian Brown
There is a decoder that isn't quite handling some log entries the want I need. I want to augment an existing decoder, but apparently I'm not doing this correctly. Here's an example log entry: 2017 Jul 03 11:17:37 WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: