I just updated my CentOS 6 OSSEC server using the Atomic RPMs from 2.8.3-53 to 2.9.0-48.
Before the updates, my Windows server logs were process fine. After the updates, ALL my windows logs are no longer being decoded correctly. Using ossec-logtest, and a test log entry of 2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user): With 2.8.3-53, logtest reports: **Phase 1: Completed pre-decoding. full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' hostname: 'mybox' program_name: '(null)' log: '2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' **Phase 2: Completed decoding. decoder: 'windows' With 2.9.0, logtest reports: **Phase 1: Completed pre-decoding. full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' hostname: 'mybox' program_name: 'WinEvtLog' log: 'Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' **Phase 2: Completed decoding. No decoder matched. BUT! If I drop off the date stamp prefix and just use the rest of the line, IT WORKS! WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user): **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' hostname: 'tmgweb01' program_name: '(null)' log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' **Phase 2: Completed decoding. decoder: 'windows' I've tried to play with the windows WinEvt decoder definition but I haven't had any luck getting it to match with the date stamp. I will say that my Windows servers are still running the 2.8.3 clients because I can't find an install package for 2.9.0 yet. Any ideas what's going on here? Help! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.