On Wed, Nov 7, 2018 at 1:59 PM Chad Harbin <harb...@gmail.com> wrote: > > Yes getting the logs from archives.log. I am open to any suggestion on how to > decode these logs. Please provide examples and thank you. >
Between "windows" and "windows1": <decoder name="windows2"> <type>windows</type> <parent>windows</parent> <prematch>GeneralLogger</prematch> <regex> GeneralLogger \S+ - (\.+) for: (\S+)</regex> <order>status, srcuser</order> </decoder> > On Wednesday, November 7, 2018 at 1:42:45 PM UTC-5, Chad Harbin wrote: >> >> Guys, >> >> I really need your help. I am new to this and not getting very far. Our >> developer created a custom ASP . Net application that logs to the >> Application event logs when a user Successfully or Fails to login to the app. >> >> Here is what I am working with. Not sure how to make this work. >> >> 2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02 >> 13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication: >> (no user): >> no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger >> [(null)] - Successful login for: u...@example.com >> >> <decoder name="extranet"> >> <prematch>10.0.10.120</prematch> >> </decoder> >> >> <decoder name="extranet-auth"> >> <parent>extranet</parent> >> <prematch offset="after_parent">^- </prematch> >> <regex offset="after_parent">^(\S+) login for: (\S+)</regex> >> <order>status, extra_data</order> >> </decoder> >> >> Here is what I get from the logtest. >> >> **Phase 1: Completed pre-decoding. >> full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog: >> Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com: >> 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful login >> for: u...@example.com' >> timestamp: '(null)' >> hostname: 'ip-10-0-10-15' >> program_name: '(null)' >> log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog: >> Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com: >> 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful login >> for: u...@example.com' >> >> **Phase 2: Completed decoding. >> decoder: 'otpextranet' > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.