update on your new code. I replaced the following code:
<decoder name="windows"> <type>windows</type> <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch> <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> with what you sent me and restarted the server, Now, I'm getting matches for windows stuff (and they all looks correct so far), but when it does find something to alert on, it send a notice of multiple audit failures when there aren't multiple items: Received From: (testbox01.EXAMPLE.COM) 192.168.20.45->WinEvtLog Rule: 18153 fired (level 10) -> "Multiple Windows audit failure events." User: (no user) Portion of the log(s): 2017 Feb 09 16:00:54 WinEvtLog: Security: AUDIT_FAILURE(4771): Microsoft-Windows-Security-Auditing: (no user): no domain: testbox01.EXAMPLE.COM: Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-963706601-603035142-3281641605-1106 Account Name: user1 Service Information: Service Name: krbtgt/EXAMPLE.COM Network Information: Client Address: ::ffff:192.168.20.9 Client Port: 60429 Additional Information: Ticket Options: 0x10 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. 2017 Feb 09 16:02:23 WinEvtLog: Security: AUDIT_SUCCESS(4624): successful windows logging stuff from different host #2 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4634): successful windows logging stuff from different host #3 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4769): successful windows logging stuff from different host #2 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4769): successful windows logging stuff from different host #2 2017 Feb 09 16:00:44 WinEvtLog: Security: AUDIT_SUCCESS(4634): successful windows logging stuff from different host #2 Any idea why it seems to see multiple failures here when there's only one failure and a bunch of successes? It didn't do that before. On Thursday, February 9, 2017 at 2:57:57 PM UTC-5, dan (ddpbsd) wrote: > > Thanks for pointing this out. It's definitely shown me a(nother) gap > in our rules testing setup. > I'm guessing a 2.9.1 will be coming in shortly with the changes we > made to the windows decoders backported from master. > Here are the new decoders if you want to give them a spin: > <decoder name="windows"> > <type>windows</type> > <program_name>^WinEvtLog</program_name> > </decoder> > > <decoder name="windows1"> > <type>windows</type> > <parent>windows</parent> > <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): </regex> > <order>status, id, extra_data, user, system_name</order> > <fts>name, location, system_name</fts> > </decoder> > > <decoder name="windows1"> > <type>windows</type> > <parent>windows</parent> > <regex> Source Network Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > <decoder name="windows1"> > <type>windows</type> > <parent>windows</parent> > <regex> Account Name: (\S+) Account</regex> > <order>user</order> > </decoder> > > > On Thu, Feb 9, 2017 at 10:50 AM, Chris Snyder <dago...@gmail.com > <javascript:>> wrote: > > I just updated my CentOS 6 OSSEC server using the Atomic RPMs from > 2.8.3-53 > > to 2.9.0-48. > > > > Before the updates, my Windows server logs were process fine. After the > > updates, ALL my windows logs are no longer being decoded correctly. > > > > Using ossec-logtest, and a test log entry of > > > > 2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user): > > > > With 2.8.3-53, logtest reports: > > > > **Phase 1: Completed pre-decoding. > > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: > > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' > > hostname: 'mybox' > > program_name: '(null)' > > log: '2017 Feb 08 19:00:00 WinEvtLog: Security: > AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user):' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > > > With 2.9.0, logtest reports: > > > > **Phase 1: Completed pre-decoding. > > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: > > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' > > hostname: 'mybox' > > program_name: 'WinEvtLog' > > log: 'Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user):' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > BUT! If I drop off the date stamp prefix and just use the rest of the > line, > > IT WORKS! > > > > WinEvtLog: Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user): > > > > **Phase 1: Completed pre-decoding. > > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user):' > > hostname: 'tmgweb01' > > program_name: '(null)' > > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): > > Microsoft-Windows-Security-Auditing: (no user):' > > > > **Phase 2: Completed decoding. > > decoder: 'windows' > > > > I've tried to play with the windows WinEvt decoder definition but I > haven't > > had any luck getting it to match with the date stamp. > > > > I will say that my Windows servers are still running the 2.8.3 clients > > because I can't find an install package for 2.9.0 yet. > > > > Any ideas what's going on here? Help! > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
