[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Windows Event Logs in Syslog (Flat text) format?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Windows Event Logs in Syslog (Flat text) format?
From: Jeremy Lee <jplee3@xxxxxxxxx>
Date: Fri, 3 Nov 2006 07:05:01 -0800 (PST)

Hi Daniel,
   Thanks for the info. I've attached a few samples
for you to look at. These are in NTSyslog format.

Thanks,
Jeremy



--- Daniel Cid <daniel.cid@xxxxxxxxx> wrote:

> 
> Hi Jeremy,
> 
> We currently do not have it. Actually, we don't even
> need to add any
> rules, just a
> decoder to extract the information we need (user,
> ids, sources, etc). Do you
> have a few log samples to share with us? We can
> certainly add support for
> them without too much work...
> 
> Thanks,
> 
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
> 
> On 11/1/06, Jeremy Lee <jplee3@xxxxxxxxx> wrote:
> >
> > Hi all,
> >   Just curious if there's a rule that exists which
> > parses for files containing Windows Event Log
> entries
> > stored in text format/Syslog (by use of programs
> such
> > as NTSyslog) on a Unix server.
> >
> >
> > Thanks,
> > Jeremy
> >
>

Oct 25 00:09:27 192.168.1.100 security[failure] 577 IBM17M\Jeremy Lee  Privileged Service Called:  Server:Security  Service:-  Primary User Name:IBM17M$  Primary Domain:LEETHERNET  Primary Logon ID:(0x0,0x3E7)  Client User Name:Jeremy Lee  Client Domain:IBM17M  Client Logon ID:(0x0,0x1447F)  Privileges:SeSecurityPrivilege

Oct 31 18:02:37 192.168.1.100 security[success] 680 NT AUTHORITY\SYSTEM  Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon account:  Jeremy Lee  Source Workstation: IBM17M  Error Code: 0x0

Oct 31 18:02:37 192.168.1.100 security[success] 528 IBM17M\Jeremy Lee  Successful Logon:  User Name:Jeremy Lee  Domain:IBM17M  Logon ID:(0x0,0x3A2E471)  Logon Type:2  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:IBM17M  Logon GUID: {00000000-0000-0000-0000-000000000000}

Oct 31 18:02:37 192.168.1.100 security[success] 576 IBM17M\Jeremy Lee  Special privileges assigned to new logon:  User Name:  Domain:  Logon ID:(0x0,0x3A2E471)  Privileges: SeChangeNotifyPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege

Oct 31 18:02:39 192.168.1.100 security[success] 682 NT AUTHORITY\SYSTEM  Session reconnected to winstation:  User Name:Jeremy Lee  Domain:IBM17M  Logon ID:(0x0,0x1F5A9C)  Session Name:Console  Client Name:Unknown  Client Address:Unknown

Oct 31 18:02:39 192.168.1.100 security[success] 538 IBM17M\Jeremy Lee  User Logoff:  User Name:Jeremy Lee  Domain:IBM17M  Logon ID:(0x0,0x3A2E471)  Logon Type:2


Nov  2 17:23:16 192.168.1.100 security[failure] 680 NT AUTHORITY\SYSTEM  Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon account:  Jeremy Lee  Source Workstation: IBM17M  Error Code: 0xC000006A

Nov  2 17:23:16 192.168.1.100 security[failure] 529 NT AUTHORITY\SYSTEM  Logon Failure:  Reason:Unknown user name or bad password  User Name:Jeremy Lee  Domain:IBM17M  Logon Type:2  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:IBM17M

References:
- [ossec-list] Re: Windows Event Logs in Syslog (Flat text) format?
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Unable to install
Next by Date: [ossec-list] Re: Unable to install
Previous by thread: [ossec-list] Re: Windows Event Logs in Syslog (Flat text) format?
Next by thread: [ossec-list] Re: OSSEC, BASE, and PostgreSQL
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.