/decoders/50_windows_ntsyslog_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 15 lines · 6 code · 2 blank · 7 comment · 0 complexity · 9595d5ded5e154dc602f5cd73c94758e MD5 · raw file

  1. <!-- Windows decoder -NTsyslog format
  2. - Will extract extra_data (as win source),action (as win category), id,
  3. - username and computer name (as url).
  4. - Examples:
  5. - security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege
  6. - security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000}
  7. -->
  8. <decoder name="windows-ntsyslog">
  9. <type>windows</type>
  10. <prematch>^security[\w+] \d+ </prematch>
  11. <regex>^(\w+)[(\w+)] (\d+) </regex>
  12. <order>extra_data, status, id</order>
  13. </decoder>