Re: [ossec-list] Missing EventData - Data fields in archives and alerts

2017-08-13 Thread Tibor Luth 
Yes,

2017 Aug 09 09:29:02 (hostname) 10.1.0.1->WinEvtLog 2017 Aug 09 09:30:55 
WinEvtLog: MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: 
(no user): no domain: domain.domain: Cmdlet succeeded. Cmdlet 
Add-MailboxPermission, parameters {Identity=OU/mailbox - mailbox, 
User=domain\user, AccessRights={FullAccess}}.

It also missing the rest of the logs. :\

Thanks!

2017. augusztus 12., szombat 1:02:21 UTC+2 időpontban dan (ddpbsd) a 
következőt írta:
>
> On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth  > wrote: 
> > Dear Group! 
> > 
> > I've tried to parse MSExchande Management / MSExchange Cmdlet logs from 
> > Windows Event Log from its own log source. I've also enabled logall 
> option. 
> > Logtest working. Im currently getting and parsing the logs but I miss 
> > additional informations. Seems like the log is incomplete also in 
> > archives.log. 
> > 
> > Here is my config, decoder, rule snippet: 
> > 
> >  
> >  
> > MSExchange Management 
> > eventlog 
> >
> >  
> > 
> > A simple decoder: 
> > 
> >  
> > MSExchange Management: 
> >  
> > 
> > A simple rule: 
> > 
> >  
> >  
> > MSExchange 
> > Exchange Alert 
> >  
> > 
> >  
> > 18101 
> > MSExchange Management: INFORMATION 
> > Exchange information 
> >  
> > 
> >  
> > 100112 
> > Add-MailboxPermission 
> > Malibox permission changed 
> >  
> >  
> > 
> > The alert output is: 
> > 
> > Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: 
> > "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; 
> HOSTNAME: 
> > "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) 
> > 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: 
> > MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): 
> no 
> > domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, 
> > parameters {Identity=OU/mailbox - mailbox, User=domain\user, 
> > AccessRights={FullAccess}}.  [END]"; 
> > 
> > according to the custom output in ossec.conf: 
> > 
> > Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: 
> > "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; 
> SRCIP: 
> > "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: 
> > "[INIT]$FULLLOG[END]";  
> > yes 
> > 
> > The raw source in EvtLog in XML view: 
> > 
> > - http://schemas.microsoft.com/win/2004/08/events/event;> 
> > -  
> >
> >   1 
> >   4 
> >   1 
> >   0x80 
> >
> >   14236 
> >   MSExchange Management 
> >   hostname 
> >
> >
> > -  
> >   Add-MailboxPermission 
> >   {Identity=domain/OU/mailbox - mailbox, User=domain\user, 
> > AccessRights={FullAccess}} 
> >   domain/Admins/neededusername 
> >   S-1-5-21-1916089304-1293223718-2292494036-4672 
> >   S-1-5-21-1916089304-1293223718-2292494036-4672 
> >   ServerRemoteHost-EMC 
> >   6824 
> >
> >   62 
> >   00:00:00.1093778 
> >   View Entire Forest: 'True', Configuration Domain Controller: 
> > 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain 
> > Controllers: '{ dc-host }' 
> >
> >
> >
> >
> >
> > 
> > What can I do in order to extract especially the 3rd  field (or 
> all) 
> > and show in logs? 
> > 
>
> Can you share a log sample from archives.log? 
>
> > Thanks in advance! 
> > 
> > Cheers, 
> > 
> > Tibor 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Missing EventData - Data fields in archives and alerts

2017-08-11 Thread dan (ddp) 
On Fri, Aug 11, 2017 at 3:16 PM, Tibor Luth  wrote:
> Dear Group!
>
> I've tried to parse MSExchande Management / MSExchange Cmdlet logs from
> Windows Event Log from its own log source. I've also enabled logall option.
> Logtest working. Im currently getting and parsing the logs but I miss
> additional informations. Seems like the log is incomplete also in
> archives.log.
>
> Here is my config, decoder, rule snippet:
>
> 
> 
> MSExchange Management
> eventlog
>   
> 
>
> A simple decoder:
>
> 
> MSExchange Management:
> 
>
> A simple rule:
>
> 
> 
> MSExchange
> Exchange Alert
> 
>
> 
> 18101
> MSExchange Management: INFORMATION
> Exchange information
> 
>
> 
> 100112
> Add-MailboxPermission
> Malibox permission changed
> 
> 
>
> The alert output is:
>
> Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC:
> "Malibox permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
> "(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname)
> 10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog:
> MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no
> domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission,
> parameters {Identity=OU/mailbox - mailbox, User=domain\user,
> AccessRights={FullAccess}}.  [END]";
>
> according to the custom output in ossec.conf:
>
> Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL:
> "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP:
> "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT:
> "[INIT]$FULLLOG[END]"; 
> yes
>
> The raw source in EvtLog in XML view:
>
> - http://schemas.microsoft.com/win/2004/08/events/event;>
> - 
>   
>   1
>   4
>   1
>   0x80
>   
>   14236
>   MSExchange Management
>   hostname
>   
>   
> - 
>   Add-MailboxPermission
>   {Identity=domain/OU/mailbox - mailbox, User=domain\user,
> AccessRights={FullAccess}}
>   domain/Admins/neededusername
>   S-1-5-21-1916089304-1293223718-2292494036-4672
>   S-1-5-21-1916089304-1293223718-2292494036-4672
>   ServerRemoteHost-EMC
>   6824
>   
>   62
>   00:00:00.1093778
>   View Entire Forest: 'True', Configuration Domain Controller:
> 'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain
> Controllers: '{ dc-host }'
>   
>   
>   
>   
>   
>
> What can I do in order to extract especially the 3rd  field (or all)
> and show in logs?
>

Can you share a log sample from archives.log?

> Thanks in advance!
>
> Cheers,
>
> Tibor
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Missing EventData - Data fields in archives and alerts

2017-08-11 Thread Tibor Luth 
Dear Group!

I've tried to parse MSExchande Management / MSExchange Cmdlet logs from 
Windows Event Log from its own log source. I've also enabled logall option. 
Logtest working. Im currently getting and parsing the logs but I miss 
additional informations. Seems like the log is incomplete also in 
archives.log.

Here is my config, decoder, rule snippet:



MSExchange Management
eventlog
  


A simple decoder:


MSExchange Management:


A simple rule:



MSExchange
Exchange Alert



18101
MSExchange Management: INFORMATION
Exchange information



100112
Add-MailboxPermission
Malibox permission changed



The alert output is:

Alert - "1502263742" --> RID: "100115"; RL: "1"; RG: "msexchange"; RC: "Malibox 
permission changed"; USER: "(no user)"; SRCIP: "None"; HOSTNAME: 
"(hostname) 10.1.0.1->WinEvtLog"; LOCATION: "(hostname) 
10.1.0.1->WinEvtLog"; EVENT: "[INIT]2017 Aug 09 09:30:55 WinEvtLog: 
MSExchange Management: INFORMATION(1): MSExchange CmdletLogs: (no user): no 
domain: domain.domain: Cmdlet succeeded. Cmdlet Add-MailboxPermission, 
parameters {Identity=OU/mailbox - mailbox, User=domain\user, 
AccessRights={FullAccess}}.  [END]";

according to the custom output in ossec.conf:

Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: 
"$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; 
SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: 
"[INIT]$FULLLOG[END]"; 
yes

The raw source in EvtLog in XML view:

- http://schemas.microsoft.com/win/2004/08/events/event;>
- 
   
  1 
  4 
  1 
  0x80 
   
  14236 
  MSExchange Management 
  hostname 
   
  
- 
  Add-MailboxPermission 
  {Identity=domain/OU/mailbox - mailbox, User=domain\user, 
AccessRights={FullAccess}} 
  domain/Admins/neededusername 
  S-1-5-21-1916089304-1293223718-2292494036-4672 
  S-1-5-21-1916089304-1293223718-2292494036-4672 
  ServerRemoteHost-EMC 
  6824 
   
  62 
  00:00:00.1093778 
  View Entire Forest: 'True', Configuration Domain Controller: 
'dc-host', Preferred Global Catalog: 'dc-host', Preferred Domain 
Controllers: '{ dc-host }' 
   
   
   
  
  

What can I do in order to extract especially the 3rd  field (or all) 
and show in logs?

Thanks in advance!

Cheers,

Tibor

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.