On Feb 10, 2017 8:13 AM, "Chris Snyder" wrote:
My only counter argument to your response is that if I do the same tests
with a 2.8.3 ossec server all the tests pass with the expected match of a
windows log type. So something changed somewhere in the ossec server.
Whether
My only counter argument to your response is that if I do the same tests
with a 2.8.3 ossec server all the tests pass with the expected match of a
windows log type. So something changed somewhere in the ossec server.
Whether this is a new bug recently introduced between 2.8.3 and 2.9.0 or it
On Thu, Feb 9, 2017 at 4:09 PM, Chris Snyder wrote:
> update on your new code.
>
> I replaced the following code:
>
>
> windows
> ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
>
> ^\.+: (\w+)\((\d+)\): (\.+):
> (\.+): \.+: (\S+):
> status, id,
update on your new code.
I replaced the following code:
windows
^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, user, system_name
name, location, user, system_name
with what you sent me and
On Thu, Feb 9, 2017 at 3:25 PM, Chris Snyder wrote:
> You're new windows decoder rules work great! I'm going to throw them at my
> hosts right now (better than what I've got at the moment!).
>
> However, I'm thinking there's a bug somewhere in some pattern matching code
>
You're new windows decoder rules work great! I'm going to throw them at my
hosts right now (better than what I've got at the moment!).
However, I'm thinking there's a bug somewhere in some pattern matching code
somewhere. However, I don't know yet if it's a bug in the current atomic
RPMs or
Thanks for pointing this out. It's definitely shown me a(nother) gap
in our rules testing setup.
I'm guessing a 2.9.1 will be coming in shortly with the changes we
made to the windows decoders backported from master.
Here are the new decoders if you want to give them a spin:
windows
I just updated my CentOS 6 OSSEC server using the Atomic RPMs from 2.8.3-53
to 2.9.0-48.
Before the updates, my Windows server logs were process fine. After the
updates, ALL my windows logs are no longer being decoded correctly.
Using ossec-logtest, and a test log entry of
2017 Feb 08