Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-10 Thread dan (ddp)
On Feb 10, 2017 8:13 AM, "Chris Snyder" wrote: My only counter argument to your response is that if I do the same tests with a 2.8.3 ossec server all the tests pass with the expected match of a windows log type. So something changed somewhere in the ossec server. Whether

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-10 Thread Chris Snyder
My only counter argument to your response is that if I do the same tests with a 2.8.3 ossec server all the tests pass with the expected match of a windows log type. So something changed somewhere in the ossec server. Whether this is a new bug recently introduced between 2.8.3 and 2.9.0 or it

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread dan (ddp)
On Thu, Feb 9, 2017 at 4:09 PM, Chris Snyder wrote: > update on your new code. > > I replaced the following code: > > > windows > ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: > > ^\.+: (\w+)\((\d+)\): (\.+): > (\.+): \.+: (\S+): > status, id,

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread Chris Snyder
update on your new code. I replaced the following code: windows ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: ^\.+: (\w+)\((\d+)\): (\.+): (\.+): \.+: (\S+): status, id, extra_data, user, system_name name, location, user, system_name with what you sent me and

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread dan (ddp)
On Thu, Feb 9, 2017 at 3:25 PM, Chris Snyder wrote: > You're new windows decoder rules work great! I'm going to throw them at my > hosts right now (better than what I've got at the moment!). > > However, I'm thinking there's a bug somewhere in some pattern matching code >

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread Chris Snyder
You're new windows decoder rules work great! I'm going to throw them at my hosts right now (better than what I've got at the moment!). However, I'm thinking there's a bug somewhere in some pattern matching code somewhere. However, I don't know yet if it's a bug in the current atomic RPMs or

Re: [ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread dan (ddp)
Thanks for pointing this out. It's definitely shown me a(nother) gap in our rules testing setup. I'm guessing a 2.9.1 will be coming in shortly with the changes we made to the windows decoders backported from master. Here are the new decoders if you want to give them a spin: windows

[ossec-list] ossec server 2.9.0 WinEvt problems

2017-02-09 Thread Chris Snyder
I just updated my CentOS 6 OSSEC server using the Atomic RPMs from 2.8.3-53 to 2.9.0-48. Before the updates, my Windows server logs were process fine. After the updates, ALL my windows logs are no longer being decoded correctly. Using ossec-logtest, and a test log entry of 2017 Feb 08