Re: [ossec-list] Missing EventData - Data fields in archives and alerts
Yes, 2017 Aug 09 09:29:02 (hostname) 10.1.0.1->WinEvtLog 2017 Aug 09 09:30:55 WinEvtLog: MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, parameters {Identity=OU/mailbox - mailbox, User=domain\user, AccessRights={FullAccess}}. It also missing the rest of the logs. :\ Thanks! 2017. augusztus 12., szombat 1:02:21 UTC+2 időpontban dan (ddpbsd) a következőt írta: > > On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth> wrote: > > Dear Group! > > > > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from > > Windows Event Log from its own log source. I've also enabled logall > option. > > Logtest working. Im currently getting and parsing the logs but I miss > > additional informations. Seems like the log is incomplete also in > > archives.log. > > > > Here is my config, decoder, rule snippet: > > > > > > > > MSExchange Management > > eventlog > > > > > > > > A simple decoder: > > > > > > MSExchange Management: > > > > > > A simple rule: > > > > > > > > MSExchange > > Exchange Alert > > > > > > > > 18101 > > MSExchange Management: INFORMATION > > Exchange information > > > > > > > > 100112 > > Add-MailboxPermission > > Malibox permission changed > > > > > > > > The alert output is: > > > > Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: > > "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; > HOSTNAME: > > "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) > > 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: > > MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): > no > > domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, > > parameters {Identity=OU/mailbox - mailbox, User=domain\user, > > AccessRights={FullAccess}}. [END]"; > > > > according to the custom output in ossec.conf: > > > > Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: > > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; > SRCIP: > > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > > "[INIT]$FULLLOG[END]"; > > yes > > > > The raw source in EvtLog in XML view: > > > > - http://schemas.microsoft.com/win/2004/08/events/event;> > > - > > > > 1 > > 4 > > 1 > > 0x80 > > > > 14236 > > MSExchange Management > > hostname > > > > > > - > > Add-MailboxPermission > > {Identity=domain/OU/mailbox - mailbox, User=domain\user, > > AccessRights={FullAccess}} > > domain/Admins/neededusername > > S-1-5-21-1916089304-1293223718-2292494036-4672 > > S-1-5-21-1916089304-1293223718-2292494036-4672 > > ServerRemoteHost-EMC > > 6824 > > > > 62 > > 00:00:00.1093778 > > View Entire Forest: 'True', Configuration Domain Controller: > > 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain > > Controllers: '{ dc-host }' > > > > > > > > > > > > > > What can I do in order to extract especially the 3rd field (or > all) > > and show in logs? > > > > Can you share a log sample from archives.log? > > > Thanks in advance! > > > > Cheers, > > > > Tibor > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Missing EventData - Data fields in archives and alerts
On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luthwrote: > Dear Group! > > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from > Windows Event Log from its own log source. I've also enabled logall option. > Logtest working. Im currently getting and parsing the logs but I miss > additional informations. Seems like the log is incomplete also in > archives.log. > > Here is my config, decoder, rule snippet: > > > > MSExchange Management > eventlog > > > > A simple decoder: > > > MSExchange Management: > > > A simple rule: > > > > MSExchange > Exchange Alert > > > > 18101 > MSExchange Management: INFORMATION > Exchange information > > > > 100112 > Add-MailboxPermission > Malibox permission changed > > > > The alert output is: > > Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: > "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME: > "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) > 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: > MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no > domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, > parameters {Identity=OU/mailbox - mailbox, User=domain\user, > AccessRights={FullAccess}}. [END]"; > > according to the custom output in ossec.conf: > > Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: > "[INIT]$FULLLOG[END]"; > yes > > The raw source in EvtLog in XML view: > > - http://schemas.microsoft.com/win/2004/08/events/event;> > - > > 1 > 4 > 1 > 0x80 > > 14236 > MSExchange Management > hostname > > > - > Add-MailboxPermission > {Identity=domain/OU/mailbox - mailbox, User=domain\user, > AccessRights={FullAccess}} > domain/Admins/neededusername > S-1-5-21-1916089304-1293223718-2292494036-4672 > S-1-5-21-1916089304-1293223718-2292494036-4672 > ServerRemoteHost-EMC > 6824 > > 62 > 00:00:00.1093778 > View Entire Forest: 'True', Configuration Domain Controller: > 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain > Controllers: '{ dc-host }' > > > > > > > What can I do in order to extract especially the 3rd field (or all) > and show in logs? > Can you share a log sample from archives.log? > Thanks in advance! > > Cheers, > > Tibor > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Missing EventData - Data fields in archives and alerts
Dear Group! I've tried to parse MSExchande Management / MSExchange Cmdlet logs from Windows Event Log from its own log source. I've also enabled logall option. Logtest working. Im currently getting and parsing the logs but I miss additional informations. Seems like the log is incomplete also in archives.log. Here is my config, decoder, rule snippet: MSExchange Management eventlog A simple decoder: MSExchange Management: A simple rule: MSExchange Exchange Alert 18101 MSExchange Management: INFORMATION Exchange information 100112 Add-MailboxPermission Malibox permission changed The alert output is: Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME: "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, parameters {Identity=OU/mailbox - mailbox, User=domain\user, AccessRights={FullAccess}}. [END]"; according to the custom output in ossec.conf: Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; yes The raw source in EvtLog in XML view: - http://schemas.microsoft.com/win/2004/08/events/event;> - 1 4 1 0x80 14236 MSExchange Management hostname - Add-MailboxPermission {Identity=domain/OU/mailbox - mailbox, User=domain\user, AccessRights={FullAccess}} domain/Admins/neededusername S-1-5-21-1916089304-1293223718-2292494036-4672 S-1-5-21-1916089304-1293223718-2292494036-4672 ServerRemoteHost-EMC 6824 62 00:00:00.1093778 View Entire Forest: 'True', Configuration Domain Controller: 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain Controllers: '{ dc-host }' What can I do in order to extract especially the 3rd field (or all) and show in logs? Thanks in advance! Cheers, Tibor -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.