[ossec-list] IIS 8 FTP log monitor & alert

2016-05-23 Thread Jacob Mcgrath
Here is what I have so far... *Agent config* C:\inetpub\logs\LogFiles\FTPSVC4\u_ex%y%m%d.log iis *Server local_decoder.xml* windows-date-format true ^\d+.\d+.\d+.\d+ \d+ \S+ FTPSVC ^(\d+.\d+.\d+.\d+) \d+ (\S+) \S+ \S+ \S + \S+ \d+ (\S+) \S+ (\d+) srcip,user,act

Re: [ossec-list] Finding out the exact OSSEC server version

2016-05-23 Thread Pedro Sanchez
Hi Tahir, They way I do it is reading /etc/ossec-init.conf. cat /etc/ossec-init.conf > DIRECTORY="/var/ossec" > VERSION="v2.9.0" > DATE="jue may 12 00:43:32 PDT 2016" > TYPE="server" Best regards, Pedro S. On Mon, May 23, 2016 at 5:42 PM, Tahir Hafiz wrote: > Dear All, > > How do I find o

[ossec-list] Finding out the exact OSSEC server version

2016-05-23 Thread Tahir Hafiz
Dear All, How do I find out the exact OSSEC server version? If I do the following on an OSSEC server: ./ossec-analysisd -V I am shown: OSSEC HIDS v2.8 - Trend Micro Inc. I am not sure that is fully accurate, I wish to know the exact OSSEC server version i.e. 2.8.1 or 2.8.2, etc. Is there a co

[ossec-list] Re: Decoder Regex help

2016-05-23 Thread DefensiveDepth
Thanks Jesus, that works - I was using a regex "helper" and I think that borked me up Thanks for taking the time to help. -Josh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails fr

[ossec-list] Re: parent usage in local_decoder.xml

2016-05-23 Thread Jesus Linares
Also, I will fix the issue in the next Wazuh release, so you will not need to use a custom decoder. Likely I will change the name to something more readable as *ossec_decoders/kernel_decoders.xml*. Thanks. On Monday, May 23, 2016 at 10:22:33 AM UTC+2, Jesus Linares wrote: > > Hi Dave, > > I fo

[ossec-list] Re: parent usage in local_decoder.xml

2016-05-23 Thread Jesus Linares
Hi Dave, I found the problem. The last decoder in kernel-iptables_apparmor_decoders.xml doesn't have a prematch tag. I fixed it here , just add that line. Usually, every decoder should have a prematch becaus

[ossec-list] Re: Decoder Regex help

2016-05-23 Thread Jesus Linares
Hi Josh, try with this decoder: ^AR-LOG arlog \|\.+\|\.+\|\.+\|\.+\|(\S+)\|\.+\|(\S+)\|\S+\|\.+\|\.+\|(\.+)\| id,action,url ossec-logtest: AR-LOG|DD-RE2|05/20/2016 12:39:00|4/8/2016 4:42 PM|HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run|Skype|enabled|Logon|DD-RE2\ddadmin|Sky