'Re: [ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2016-09-27 12:26:53
Message-ID: CAMyQvMoEYBwvBjNcfF2ofpiohjDpHqfzC8fxmp0eDWsUxWhDVg () mail ! gmail ! com
[Download RAW message or body]

On Tue, Sep 27, 2016 at 8:17 AM, dan (ddp) <ddpbsd@gmail.com> wrote:
> On Fri, Sep 16, 2016 at 1:24 AM, InfoSec <gjahchan@compucenter.org> wrote:
> > Difference between your setup and mine is that I am forwarding events in CEF
> > format, you seem to be forwarding the OSSEC multi-line format.
> > 
> 
> I'm using the standard syslog output.
> 
> > Can you please rerun your test with CEF format in syslog_output?
> > 
> 
> I'll try, but I don't use CEF.
> 

Looks ok to me.

08:24:24.217893 b8:ac:6f:7d:d2:e0 b8:97:5a:b1:0b:c6 0800 907:
192.168.17.9.18520 > 192.168.17.8.9514: [udp sum ok] udp 865 (ttl 64,
id 55737, len 893, bad ip cksum 0! -> fa54)
  0000: b897 5ab1 0bc6 b8ac 6f7d d2e0 0800 4500  ..Z.....o}....E.
  0010: 037d d9b9 0000 4011 0000 c0a8 1109 c0a8  .}....@.........
  0020: 1108 4858 252a 0369 5ef7 3c31 3332 3e53  ..HX%*.i^.<132>S
  0030: 6570 2032 3720 3038 3a32 343a 3232 2043  ep 27 08:24:22 C
  0040: 4546 3a30 7c54 7265 6e64 204d 6963 726f  EF:0|Trend Micro
  0050: 2049 6e63 2e7c 4f53 5345 4320 4849 4453   Inc.|OSSEC HIDS
  0060: 7c76 322e 392e 307c 3730 3030 3033 7c42  |v2.9.0|700003|B
  0070: 4947 2061 6c65 7274 7c31 307c 6476 633d  IG alert|10|dvc=
  0080: 6978 2063 7332 3d69 782d 3e2f 7661 722f  ix cs2=ix->/var/
  0090: 6c6f 672f 6d65 7373 6167 6573 2063 7332  log/messages cs2
  00a0: 4c61 6265 6c3d 4c6f 6361 7469 6f6e 2063  Label=Location c
  00b0: 6c61 7373 6966 6963 6174 696f 6e3d 206c  lassification= l
  00c0: 6f63 616c 2c73 7973 6c6f 672c 2073 7573  ocal,syslog, sus
  00d0: 6572 3d44 6573 6b74 6f70 2073 7573 6572  er=Desktop suser
  00e0: 3d44 6573 6b74 6f70 206d 7367 3d53 6570  =Desktop msg=Sep
  00f0: 2032 3720 3038 3a32 343a 3231 2069 7820   27 08:24:21 ix
  0100: 5769 6e45 7674 4c6f 673a 2053 6563 7572  WinEvtLog: Secur
  0110: 6974 793a 2041 5544 4954 5f53 5543 4345  ity: AUDIT_SUCCE
  0120: 5353 2834 3632 3729 3a20 4d69 6372 6f73  SS(4627): Micros
  0130: 6f66 742d 5769 6e64 6f77 732d 5365 6375  oft-Windows-Secu
  0140: 7269 7479 2d41 7564 6974 696e 673a 2028  rity-Auditing: (
  0150: 6e6f 2075 7365 7229 3a20 6e6f 2064 6f6d  no user): no dom
  0160: 6169 6e3a 2044 6573 6b74 6f70 3a20 3c53  ain: Desktop: <S
  0170: 7562 6a65 6374 5365 6375 7269 7479 4944  ubjectSecurityID
  0180: 3e20 203c 5573 6572 6e61 6d65 3e20 4445  >  <Username> DE
  0190: 534b 544f 5020 3078 3138 6436 6663 203c  SKTOP 0x18d6fc <
  01a0: 5375 626a 6563 7453 6563 7572 6974 7949  SubjectSecurityI
  01b0: 443e 203c 5573 6572 6e61 6d65 3e20 4445  D> <Username> DE
  01c0: 534b 544f 5020 3078 3637 3533 3766 6135  SKTOP 0x67537fa5
  01d0: 2032 2031 2031 205c 5c72 5c5c 6e5c 5c74   2 1 1 \\r\\n\\t
  01e0: 5c5c 7425 7b53 2d31 2d35 2d32 312d 7878  \\t%{S-1-5-21-xx
  01f0: 7878 7878 7878 7878 2d78 7878 7878 7878  xxxxxxxx-xxxxxxx
  0200: 7878 782d 7878 7878 7878 7878 7878 2d78  xxx-xxxxxxxxxx-x
  0210: 7878 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425  xx}\\r\\n\\t\\t%
  0220: 7b53 2d31 2d31 2d30 7d5c 5c72 5c5c 6e5c  {S-1-1-0}\\r\\n\
  0230: 5c74 5c5c 7425 7b53 2d31 2d35 2d31 3134  \t\\t%{S-1-5-114
  0240: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53  }\\r\\n\\t\\t%{S
  0250: 2d31 2d35 2d32 312d 7878 7878 7878 7878  -1-5-21-xxxxxxxx
  0260: 7878 2d78 7878 7878 7878 7878 782d 7878  xx-xxxxxxxxxx-xx
  0270: 7878 7878 7878 7878 2d78 7878 787d 5c5c  xxxxxxxx-xxxx}\\
  0280: 725c 5c6e 5c5c 745c 5c74 257b 532d 312d  r\\n\\t\\t%{S-1-
  0290: 352d 3332 2d35 3535 7d5c 5c72 5c5c 6e5c  5-32-555}\\r\\n\
  02a0: 5c74 5c5c 7425 7b53 2d31 2d35 2d33 322d  \t\\t%{S-1-5-32-
  02b0: 3534 357d 5c5c 725c 5c6e 5c5c 745c 5c74  545}\\r\\n\\t\\t
  02c0: 257b 532d 312d 352d 3332 2d35 3434 7d5c  %{S-1-5-32-544}\
  02d0: 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53 2d31  \r\\n\\t\\t%{S-1
  02e0: 2d35 2d34 7d5c 5c72 5c5c 6e5c 5c74 5c5c  -5-4}\\r\\n\\t\\
  02f0: 7425 7b53 2d31 2d32 2d31 7d5c 5c72 5c5c  t%{S-1-2-1}\\r\\
  0300: 6e5c 5c74 5c5c 7425 7b53 2d31 2d35 2d31  n\\t\\t%{S-1-5-1
  0310: 317d 5c5c 725c 5c6e 5c5c 745c 5c74 257b  1}\\r\\n\\t\\t%{
  0320: 532d 312d 352d 3135 7d5c 5c72 5c5c 6e5c  S-1-5-15}\\r\\n\
  0330: 5c74 5c5c 7425 7b53 2d31 2d35 2d31 3133  \t\\t%{S-1-5-113
  0340: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53  }\\r\\n\\t\\t%{S
  0350: 2d31 2d32 2d30 7d5c 5c72 5c5c 6e5c 5c74  -1-2-0}\\r\\n\\t
  0360: 5c5c 7425 7b53 2d31 2d35 2d36 342d 3130  \\t%{S-1-5-64-10
  0370: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53  }\\r\\n\\t\\t%{S
  0380: 2d31 2d31 362d 3831 3932 7d              -1-16-8192}


> > --
> > 
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic