Thanks. But don't work. It only decode srcip field. Attach the output: **Phase 1: Completed pre-decoding. full event: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13' hostname: 'USMCyberRange' program_name: '(null)' log: 'WinEvtLog: Security: AUDIT_FAILURE(5152): Microsoft-Windows-Security-Auditing: (no user): no domain: WKSUSR034.mccd.def: The Windows Filtering Platform blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 10.20.10.55 Source Port: 55666 Destination Address: 255.255.255.255 Destination Port: 1234 Protocol: 17 Filter Information: Filter Run-Time ID: 70713 Layer Name: %%14597 Layer Run-Time ID: 13'
**Phase 2: Completed decoding. decoder: 'windows' srcip: '10.20.10.55' **Rule debugging: Trying rule: 6 - Generic template for all windows rules. *Rule 6 matched. *Trying child rules. Trying rule: 7301 - Grouping of Symantec AV rules from eventlog. Trying rule: 18100 - Group of windows rules. *Rule 18100 matched. *Trying child rules. Trying rule: 18101 - Windows informational event. Trying rule: 18102 - Windows warning event. Trying rule: 18104 - Windows audit success event. Trying rule: 18103 - Windows error event. Trying rule: 18105 - Windows audit failure event. **Phase 3: Completed filtering (rules). Rule id: '18100' Level: '0' Description: 'Group of windows rules.' So, the original fields of decoder has been erased (status, id, extra_data, srcuser, system_name, name, location, user, system_name). The consecuence is that orginal rules don't match. El martes, 21 de febrero de 2017, 15:30:39 (UTC+1), dan (ddpbsd) escribió: > > On Mon, Feb 20, 2017 at 6:08 AM, Casimiro <hfba...@gmail.com <javascript:>> > wrote: > > Version 2.8 > > > > Events: > > > > WinEvtLog: Security: AUDIT_FAILURE(5152): > > Microsoft-Windows-Security-Auditing: no domain: WKUSR01.cm.shr: The > Windows > > Filtering Platform blocked a packet. Application Information: Process > ID: 0 > > Application Name: - Network Information: Direction: %%14952 Source > Address: > > 10.10.10.58 Source Port: 55663 Destination Address: 255.255.255.255 > > Destination Port: 1211 Protocol: 17 Filter Information: Filter Run-Time > ID: > > 70713 Layer Name: %%14597 Layer Run-Time ID:13 > > > > I want to exctract source Ip in addiction to status id, extra_data, > srcuser, > > system_name original fields extracted form original Windows decoder. > > > > This works with the latest master: > <decoder name="windows1"> > <parent>windows</parent> > <regex>Source Address: (\S+)</regex> > <order>srcip</order> > </decoder> > > > > > Thanks > > > > > > El viernes, 17 de febrero de 2017, 14:01:15 (UTC+1), Casimiro escribió: > >> > >> I'm trying to override the windows decoder to extract more fields (in > >> local_decoder.xml), like source ip, destination ip, source port, > >> > >> This is my local decoder for windows > >> > >> <decoder name="windows-audit"> > >> <parent>windows</parent> > >> <prematch>AUDIT_FAILURE(51512)</prematch> > >> <regex offset="after_parent">Source > >> Address:\s+(\d+.\d+.\d+.\d+)</regex> > >> <order>srcip</order> > >> </decoder> > >> > >> When I put new decoder en local_decoder.xml. The windows log don't > match > >> with windows parent decoder. If I take off the local decoder then log > match > >> with windows parent decoder. > >> > >> I want to get all fields: parent fields + soon fields (in this case > >> status, id, extra_data, srcuser, system_name and srcip) > >> > >> Thanks in advanced > >> > >> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.