/decoders/50_windows_ntsyslog_decoder.xml
XML | 15 lines | 6 code | 2 blank | 7 comment | 0 complexity | 9595d5ded5e154dc602f5cd73c94758e MD5 | raw file
1 2 3<!-- Windows decoder -NTsyslog format 4 - Will extract extra_data (as win source),action (as win category), id, 5 - username and computer name (as url). 6 - Examples: 7 - security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege 8 - security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000} 9 --> 10<decoder name="windows-ntsyslog"> 11 <type>windows</type> 12 <prematch>^security[\w+] \d+ </prematch> 13 <regex>^(\w+)[(\w+)] (\d+) </regex> 14 <order>extra_data, status, id</order> 15</decoder>