On Tue, Nov 6, 2012 at 11:39 AM, Chris H <[email protected]> wrote: > > > On Tuesday, November 6, 2012 2:25:43 PM UTC, dan (ddpbsd) wrote: >> >> On Tue, Nov 6, 2012 at 6:13 AM, Chris H <[email protected]> wrote: >> > Hi, >> > >> > I'm passing log files from Domain Controllers via the OSSEC agent, and >> > trying to refine the decoders for logon events. As standard, the event >> > logs >> > the User as SYSTEM, as this is what raises the event. The event logs >> > contain the User Name and Client IP. I've added a new decoder to >> > local_decoder.xml, and can extract the proper username, but I'm >> > struggling >> > to capture the IP address: >> > >> > This works to extract the user name for events 672, 673 or 675 (which >> > seem >> > the relevant ones): >> > >> > <decoder name="windows_login"> >> > <type>windows</type> >> > <parent>windows</parent> >> > <prematch>\((672)|(673)|(675)\)</prematch> >> > <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: >> > (\S+):\.*:\s+User Name:\s+(\S+)\s+</regex> >> > <order>status,id,extra_data,system_name,user</order> >> > </decoder> >> > >> > >> > but this regex fails: >> > <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: >> > (\S+):\.*:\s+User >> > Name:\s+(\S+)\s+\.+Client Address:(\d+.\d+.\d+.\d+)</regex> >> > >> > >> > >> > Any ideas? Here are some sample logs: >> > >> > WinEvtLog: Security: AUDIT_FAILURE(672): Security: SYSTEM: NT AUTHORITY: >> > DC04: Authentication Ticket Request: User Name: tony.hodgson >> > Supplied Realm Name: domain.co.uk User ID: - >> > Service Name: krbtgt/4ucore.4ultd.co.uk Service ID: - >> > Ticket Options: 0x40810010 Result Code: 0x6 Ticket >> > Encryption Type: - Pre-Authentication Type: - Client Address: >> > 10.250.0.12 Certificate Issuer Name: Certificate Serial >> > Number: >> > Certificate Thumbprint: >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(672): Security: SYSTEM: NT AUTHORITY: >> > DC04: Authentication Ticket Request: User Name: >> > pas.components Supplied Realm Name: DOMAIN User ID: >> > %{S-1-5-21-1577433185-774302318-2220402944-3242} Service Name: >> > krbtgt Service ID: >> > %{S-1-5-21-1577433185-774302318-2220402944-502} Ticket Options: >> > 0x40810010 Result Code: - Ticket Encryption Type: 0x17 >> > Pre-Authentication Type: 2 Client Address: 172.19.83.24 >> > Certificate Issuer Name: Certificate Serial Number: >> > Certificate >> > Thumbprint: >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(673): Security: SYSTEM: NT AUTHORITY: >> > DC04: Service Ticket Request: User Name: >> > Geoff.Fisher@DOMAIN >> > User Domain: DOMAIN.CO.UK Service Name: LSG-CBP-DC03$ >> > Service ID: %{S-1-5-21-1577433185-774302318-2220402944-36611} >> > Ticket Options: 0x40800000 Ticket Encryption Type: 0x17 >> > Client Address: 172.19.84.46 Failure Code: - >> > Logon GUID: {a2767528-fbdc-b2f5-1cfb-1c204e97a4e0} Transited >> > Services: - >> > >> > WinEvtLog: Security: AUDIT_FAILURE(675): Security: SYSTEM: NT AUTHORITY: >> > DC04: Pre-authentication failed: User Name: W-NMAPP-01$ User >> > ID: >> > %{S-1-5-21-1577433185-774302318-2220402944-40192} Service Name: >> > krbtgt/DOMAIN.CO.UK Pre-Authentication Type: 0x0 Failure Code: >> > 0x19 Client Address: 172.19.93.6 >> > >> > >> > Thanks. >> >> <decoder name="windows_login"> >> <type>windows</type> >> <parent>windows</parent> >> <prematch>\((672)|(673)|(675)\)</prematch> >> <regex>^WinEvtLog: \.+: (\w+)\((\d+)\): (\.+): \.+: \.+: >> (\S+):\.*:\s+Us >> er Name:\s+(\S+)\s+</regex> >> <order>status,id,extra_data,system_name,user</order> >> </decoder> >> >> <decoder name="windows_login"> >> <type>windows</type> >> <parent>windows</parent> >> <regex>Client Address:\s*(\S+)</regex> >> <order>srcip</order> >> </decoder> > > > Thanks, that works, sort of. It works under ossec-logtest, but when I > enable these in local_decoder.xml it stops logging any events. Without it > I'm getting lots logged, but without the username being calculated properly. >
What do you mean it "stops logging any events?" Are you sure the processes are still running? Are you getting any errors in ossec.log?
