/decoders/50_windows_ntsyslog_decoder.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 15 lines · 6 code · 2 blank · 7 comment · 0 complexity · 9595d5ded5e154dc602f5cd73c94758e MD5 · raw file
- <!-- Windows decoder -NTsyslog format
- - Will extract extra_data (as win source),action (as win category), id,
- - username and computer name (as url).
- - Examples:
- - security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege
- - security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000}
- -->
- <decoder name="windows-ntsyslog">
- <type>windows</type>
- <prematch>^security[\w+] \d+ </prematch>
- <regex>^(\w+)[(\w+)] (\d+) </regex>
- <order>extra_data, status, id</order>
- </decoder>