[ossec-list] ossec server 2.9.0 WinEvt problems

Thu, 09 Feb 2017 07:55:04 -0800 

I just updated my CentOS 6 OSSEC server using the Atomic RPMs from 2.8.3-53 
to 2.9.0-48.

Before the updates, my Windows server logs were process fine. After the 
updates, ALL my windows logs are no longer being decoded correctly.

Using ossec-logtest, and a test log entry of 

2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):

With 2.8.3-53, logtest reports:

**Phase 1: Completed pre-decoding.
       full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: 
AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):'
       hostname: 'mybox'
       program_name: '(null)'
       log: '2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):'

**Phase 2: Completed decoding.
       decoder: 'windows'

With 2.9.0, logtest reports:

**Phase 1: Completed pre-decoding.
       full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: 
AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):'
       hostname: 'mybox'
       program_name: 'WinEvtLog'
       log: 'Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):'

**Phase 2: Completed decoding.
       No decoder matched.

BUT! If I drop off the date stamp prefix and just use the rest of the line, 
IT WORKS!

WinEvtLog: Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):

**Phase 1: Completed pre-decoding.
       full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):'
       hostname: 'tmgweb01'
       program_name: '(null)'
       log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): 
Microsoft-Windows-Security-Auditing: (no user):'

**Phase 2: Completed decoding.
       decoder: 'windows'

I've tried to play with the windows WinEvt decoder definition but I haven't 
had any luck getting it to match with the date stamp.

I will say that my Windows servers are still running the 2.8.3 clients 
because I can't find an install package for 2.9.0 yet. 

Any ideas what's going on here? Help!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to