/decoders/50_windows_ntsyslog_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 15 lines · 6 code · 2 blank · 7 comment · 0 complexity · 9595d5ded5e154dc602f5cd73c94758e MD5 · raw file 

    

  1. <!-- Windows decoder -NTsyslog format
    2. 

  2.   - Will extract extra_data (as win source),action (as win category), id,
    3. 

  3.   - username and computer name (as url).
    4. 

  4.   - Examples:
    5. 

  5.   - security[failure] 577 IBM17M\Jeremy Lee  Privileged Service Called:  Server:Security  Service:-  Primary User Name:IBM17M$  Primary Domain:LEETHERNET  Primary Logon ID:(0x0,0x3E7)  Client User Name:Jeremy Lee  Client Domain:IBM17M  Client Logon ID:(0x0,0x1447F)  Privileges:SeSecurityPrivilege
    6. 

  6.   - security[success] 528 IBM17M\Jeremy Lee  Successful Logon:  User Name:Jeremy Lee  Domain:IBM17M  Logon ID:(0x0,0x3A2E471)  Logon Type:2  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:IBM17M  Logon GUID: {00000000-0000-0000-0000-000000000000}
    7. 

  7.   -->
    8. 

  8. <decoder name="windows-ntsyslog">
    9. 

  9.   <type>windows</type>
    10. 

  10.   <prematch>^security[\w+] \d+ </prematch>
    11. 

  11.   <regex>^(\w+)[(\w+)] (\d+) </regex>
    12. 

  12.   <order>extra_data, status, id</order>
    13. 

  13. </decoder>
    14.