In /var/ossec/logs/alerts/alerts.json file:
{"rule":{"level":1,"comment":"Windows - Audit Success event catch
all.","sidid":18104,"firedtimes":2,"groups":["win_audit"]},"dstuser":"(no
user)","full_log":"2016 Sep 14 17:25:27 WinEvtLog: Security:
AUDIT_SUCCESS(4627): Microsoft-Windows-Security-Auditing: (no user): no
domain: Desktop: <SubjectSecurityID> <Username> DESKTOP
0x18d6fc <SubjectSecurityID> <Username> DESKTOP 0x67537fa5 2 1 1
\r\n\t\t%{S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxx}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-114}\r\n\t\t%{S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx}\r\n\t\t%{S-1-5-32-555}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-32-544}\r\n\t\t%{S-1-5-4}\r\n\t\t%{S-1-2-1}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-113}\r\n\t\t%{S-1-2-0}\r\n\t\t%{S-1-5-64-10}\r\n\t\t%{S-1-16-8192}
","id":"4627","status":"AUDIT_SUCCESS","data":"Microsoft-Windows-Security-Auditing","systemname":"Desktop","decoder":{"name":"windows"},"hostname":"<AgentName>","agentip":"192.168.16.1","timestamp":"2016
Sep 14 17:25:42","location":"WinEvtLog"}
Traffic dump between csyslogd and syslog receiver:
E...}.@.@............` .....<132>Sep 14 17:25:42 CEF:0|Trend Micro
Inc.|OSSEC HIDS|v2.8|18104|Windows - Audit Success event catch
all.|1|dvc=capricorn cs2=(AgentName) 192.168.16.1->WinEvtLog
cs2Label=Location classification= win_audit, msg=2016 Sep 14 17:25:27
WinEvtLog: Security: AUDIT_SUCCESS(4627):
Microsoft-Windows-Security-Auditing: (no user): no domain: Desktop:
<SubjectSecurityID> <Username> <Hostname>
0x18d6fc <SubjectSecurityID> <UserName> <HostName> 0x67537fa5 2 1 1
The part of the event in Red is truncated.
Is this a bug or by design?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
