Thanks for pointing this out. It's definitely shown me a(nother) gap in our rules testing setup. I'm guessing a 2.9.1 will be coming in shortly with the changes we made to the windows decoders backported from master. Here are the new decoders if you want to give them a spin: <decoder name="windows"> <type>windows</type> <program_name>^WinEvtLog</program_name> </decoder>
<decoder name="windows1"> <type>windows</type> <parent>windows</parent> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, system_name</fts> </decoder> <decoder name="windows1"> <type>windows</type> <parent>windows</parent> <regex> Source Network Address: (\S+)</regex> <order>srcip</order> </decoder> <decoder name="windows1"> <type>windows</type> <parent>windows</parent> <regex> Account Name: (\S+) Account</regex> <order>user</order> </decoder> On Thu, Feb 9, 2017 at 10:50 AM, Chris Snyder <dagop...@gmail.com> wrote: > I just updated my CentOS 6 OSSEC server using the Atomic RPMs from 2.8.3-53 > to 2.9.0-48. > > Before the updates, my Windows server logs were process fine. After the > updates, ALL my windows logs are no longer being decoded correctly. > > Using ossec-logtest, and a test log entry of > > 2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): > > With 2.8.3-53, logtest reports: > > **Phase 1: Completed pre-decoding. > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' > hostname: 'mybox' > program_name: '(null)' > log: '2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user):' > > **Phase 2: Completed decoding. > decoder: 'windows' > > With 2.9.0, logtest reports: > > **Phase 1: Completed pre-decoding. > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' > hostname: 'mybox' > program_name: 'WinEvtLog' > log: 'Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user):' > > **Phase 2: Completed decoding. > No decoder matched. > > BUT! If I drop off the date stamp prefix and just use the rest of the line, > IT WORKS! > > WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user): > > **Phase 1: Completed pre-decoding. > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user):' > hostname: 'tmgweb01' > program_name: '(null)' > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > Microsoft-Windows-Security-Auditing: (no user):' > > **Phase 2: Completed decoding. > decoder: 'windows' > > I've tried to play with the windows WinEvt decoder definition but I haven't > had any luck getting it to match with the date stamp. > > I will say that my Windows servers are still running the 2.8.3 clients > because I can't find an install package for 2.9.0 yet. > > Any ideas what's going on here? Help! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.