On Thu, Feb 9, 2017 at 4:09 PM, Chris Snyder <dagop...@gmail.com> wrote: > update on your new code. > > I replaced the following code: > > <decoder name="windows"> > <type>windows</type> > <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: > </prematch> > <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex> > <regex>(\.+): \.+: (\S+): </regex> > <order>status, id, extra_data, user, system_name</order> > <fts>name, location, user, system_name</fts> > </decoder> > > with what you sent me and restarted the server, > > Now, I'm getting matches for windows stuff (and they all looks correct so > far), but when it does find something to alert on, it send a notice of > multiple audit failures when there aren't multiple items: > > Received From: (testbox01.EXAMPLE.COM) 192.168.20.45->WinEvtLog > Rule: 18153 fired (level 10) -> "Multiple Windows audit failure events." > User: (no user) > Portion of the log(s): > > 2017 Feb 09 16:00:54 WinEvtLog: Security: AUDIT_FAILURE(4771): > Microsoft-Windows-Security-Auditing: (no user): no domain: > testbox01.EXAMPLE.COM: Kerberos pre-authentication failed. Account > Information: Security ID: S-1-5-21-963706601-603035142-3281641605-1106 > Account Name: user1 Service Information: Service Name: > krbtgt/EXAMPLE.COM Network Information: Client Address: > ::ffff:192.168.20.9 Client Port: 60429 Additional Information: Ticket > Options: 0x10 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate > Information: Certificate Issuer Name: Certificate Serial Number: > Certificate Thumbprint: Certificate information is only provided if a > certificate was used for pre-authentication. Pre-authentication types, > ticket options and failure codes are defined in RFC 4120. If the ticket was > malformed or damaged during transit and could not be decrypted, then many > fields in this event might not be present. > 2017 Feb 09 16:02:23 WinEvtLog: Security: AUDIT_SUCCESS(4624): successful > windows logging stuff from different host #2 > 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4634): successful > windows logging stuff from different host #3 > 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4769): successful > windows logging stuff from different host #2 > 2017 Feb 09 16:02:21 WinEvtLog: Security: AUDIT_SUCCESS(4769): successful > windows logging stuff from different host #2 > 2017 Feb 09 16:00:44 WinEvtLog: Security: AUDIT_SUCCESS(4634): successful > windows logging stuff from different host #2 > > Any idea why it seems to see multiple failures here when there's only one > failure and a bunch of successes? It didn't do that before. >
No clue. Without log samples it's difficult to track down as well. I avoid the Windows stuff as much as I can. > On Thursday, February 9, 2017 at 2:57:57 PM UTC-5, dan (ddpbsd) wrote: >> >> Thanks for pointing this out. It's definitely shown me a(nother) gap >> in our rules testing setup. >> I'm guessing a 2.9.1 will be coming in shortly with the changes we >> made to the windows decoders backported from master. >> Here are the new decoders if you want to give them a spin: >> <decoder name="windows"> >> <type>windows</type> >> <program_name>^WinEvtLog</program_name> >> </decoder> >> >> <decoder name="windows1"> >> <type>windows</type> >> <parent>windows</parent> >> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> >> <regex>(\.+): \.+: (\S+): </regex> >> <order>status, id, extra_data, user, system_name</order> >> <fts>name, location, system_name</fts> >> </decoder> >> >> <decoder name="windows1"> >> <type>windows</type> >> <parent>windows</parent> >> <regex> Source Network Address: (\S+)</regex> >> <order>srcip</order> >> </decoder> >> >> <decoder name="windows1"> >> <type>windows</type> >> <parent>windows</parent> >> <regex> Account Name: (\S+) Account</regex> >> <order>user</order> >> </decoder> >> >> >> On Thu, Feb 9, 2017 at 10:50 AM, Chris Snyder <dago...@gmail.com> wrote: >> > I just updated my CentOS 6 OSSEC server using the Atomic RPMs from >> > 2.8.3-53 >> > to 2.9.0-48. >> > >> > Before the updates, my Windows server logs were process fine. After the >> > updates, ALL my windows logs are no longer being decoded correctly. >> > >> > Using ossec-logtest, and a test log entry of >> > >> > 2017 Feb 08 19:00:00 WinEvtLog: Security: AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user): >> > >> > With 2.8.3-53, logtest reports: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: >> > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' >> > hostname: 'mybox' >> > program_name: '(null)' >> > log: '2017 Feb 08 19:00:00 WinEvtLog: Security: >> > AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user):' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows' >> > >> > With 2.9.0, logtest reports: >> > >> > **Phase 1: Completed pre-decoding. >> > full event: '2017 Feb 08 19:00:00 WinEvtLog: Security: >> > AUDIT_SUCCESS(4738): Microsoft-Windows-Security-Auditing: (no user):' >> > hostname: 'mybox' >> > program_name: 'WinEvtLog' >> > log: 'Security: AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user):' >> > >> > **Phase 2: Completed decoding. >> > No decoder matched. >> > >> > BUT! If I drop off the date stamp prefix and just use the rest of the >> > line, >> > IT WORKS! >> > >> > WinEvtLog: Security: AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user): >> > >> > **Phase 1: Completed pre-decoding. >> > full event: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user):' >> > hostname: 'tmgweb01' >> > program_name: '(null)' >> > log: 'WinEvtLog: Security: AUDIT_SUCCESS(4738): >> > Microsoft-Windows-Security-Auditing: (no user):' >> > >> > **Phase 2: Completed decoding. >> > decoder: 'windows' >> > >> > I've tried to play with the windows WinEvt decoder definition but I >> > haven't >> > had any luck getting it to match with the date stamp. >> > >> > I will say that my Windows servers are still running the 2.8.3 clients >> > because I can't find an install package for 2.9.0 yet. >> > >> > Any ideas what's going on here? Help! >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
