PageRenderTime 25ms CodeModel.GetById 22ms app.highlight 1ms RepoModel.GetById 1ms app.codeStats 0ms

/decoders/50_windows_ntsyslog_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 15 lines | 6 code | 2 blank | 7 comment | 0 complexity | 9595d5ded5e154dc602f5cd73c94758e MD5 | raw file
 1
 2
 3<!-- Windows decoder -NTsyslog format
 4  - Will extract extra_data (as win source),action (as win category), id,
 5  - username and computer name (as url).
 6  - Examples:
 7  - security[failure] 577 IBM17M\Jeremy Lee  Privileged Service Called:  Server:Security  Service:-  Primary User Name:IBM17M$  Primary Domain:LEETHERNET  Primary Logon ID:(0x0,0x3E7)  Client User Name:Jeremy Lee  Client Domain:IBM17M  Client Logon ID:(0x0,0x1447F)  Privileges:SeSecurityPrivilege
 8  - security[success] 528 IBM17M\Jeremy Lee  Successful Logon:  User Name:Jeremy Lee  Domain:IBM17M  Logon ID:(0x0,0x3A2E471)  Logon Type:2  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:IBM17M  Logon GUID: {00000000-0000-0000-0000-000000000000}
 9  -->
10<decoder name="windows-ntsyslog">
11  <type>windows</type>
12  <prematch>^security[\w+] \d+ </prematch>
13  <regex>^(\w+)[(\w+)] (\d+) </regex>
14  <order>extra_data, status, id</order>
15</decoder>