[ossec-list] msauth logs - extract "real" user and IP

[Chris H]

Hi,

I'm passing log files from Domain Controllers via the OSSEC agent, and 
trying to refine the decoders for logon events.  As standard, the event 
logs the User as SYSTEM, as this is what raises the event.  The event logs 
contain the User Name and Client IP.  I've added a new decoder to 
local_decoder.xml, and can extract the proper username, but I'm struggling 
to capture the IP address:

This works to extract the user name for events 672, 673 or 675 (which seem 
the relevant ones):

<decoder name="windows_login">
        <type>windows</type>
        <parent>windows</parent>
        <prematch>\((672)|(673)|(675)\)</prematch>
        <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: 
(\S+):\.*:\s+User Name:\s+(\S+)\s+</regex>
        <order>status,id,extra_data,system_name,user</order>
</decoder>


but this regex fails:
<regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: (\S+):\.*:\s+User 
Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)</regex>



Any ideas?  Here are some sample logs:

WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT AUTHORITY: 
DC04: Authentication Ticket Request:      *User Name:      tony.hodgson*   
     Supplied Realm Name: domain.co.uk       User ID:                 -     
  Service Name:   krbtgt/4ucore.4ultd.co.uk       Service ID:     -       
Ticket Options:         0x40810010      Result Code:    0x6     Ticket 
Encryption Type: -       Pre-Authentication Type: -      *Client Address:   
      10.250.0.12*    Certificate Issuer Name:        Certificate Serial 
Number:      Certificate Thumbprint:

WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT AUTHORITY: 
DC04: Authentication Ticket Request:           *User Name:     
 pas.components*          Supplied Realm Name: DOMAIN       User ID:       
         %{S-1-5-21-1577433185-774302318-2220402944-3242}       Service 
Name:   krbtgt          Service ID:     
%{S-1-5-21-1577433185-774302318-2220402944-502}         Ticket Options:     
    0x40810010      Result Code:    -       Ticket Encryption Type: 0x17   
         Pre-Authentication Type: 2      *Client Address:       172.19.83.24
*     Certificate Issuer Name:        Certificate Serial Number:     
 Certificate Thumbprint:

WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: 
DC04: Service Ticket Request:          User Name:      *Geoff.Fisher@DOMAIN*    
   User Domain:    DOMAIN.CO.UK      Service Name:   LSG-CBP-DC03$     
      Service ID:   %{S-1-5-21-1577433185-774302318-2220402944-36611}       
 Ticket Options:         0x40800000      Ticket Encryption Type: 0x17       
     *Client Address:         172.19.84.46*            Failure Code:   -   
    Logon GUID:     {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0}        Transited 
Services: -

WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: 
DC04: Pre-authentication failed:       User Name: *W-NMAPP-01$*      User 
ID:        %{S-1-5-21-1577433185-774302318-2220402944-40192}       Service 
Name: krbtgt/DOMAIN.CO.UK       Pre-Authentication Type: 0x0     Failure 
Code: 0x19      *Client Address: 172.19.93.6*


Thanks.