[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] Re: OSSEC csyslogd truncates Windows Security Event ID: 4627.
From: "dan (ddp)" <ddpbsd () gmail ! com>
Date: 2016-09-27 12:26:53
Message-ID: CAMyQvMoEYBwvBjNcfF2ofpiohjDpHqfzC8fxmp0eDWsUxWhDVg () mail ! gmail ! com
[Download RAW message or body]
On Tue, Sep 27, 2016 at 8:17 AM, dan (ddp) <ddpbsd@gmail.com> wrote:
> On Fri, Sep 16, 2016 at 1:24 AM, InfoSec <gjahchan@compucenter.org> wrote:
> > Difference between your setup and mine is that I am forwarding events in CEF
> > format, you seem to be forwarding the OSSEC multi-line format.
> >
>
> I'm using the standard syslog output.
>
> > Can you please rerun your test with CEF format in syslog_output?
> >
>
> I'll try, but I don't use CEF.
>
Looks ok to me.
08:24:24.217893 b8:ac:6f:7d:d2:e0 b8:97:5a:b1:0b:c6 0800 907:
192.168.17.9.18520 > 192.168.17.8.9514: [udp sum ok] udp 865 (ttl 64,
id 55737, len 893, bad ip cksum 0! -> fa54)
0000: b897 5ab1 0bc6 b8ac 6f7d d2e0 0800 4500 ..Z.....o}....E.
0010: 037d d9b9 0000 4011 0000 c0a8 1109 c0a8 .}....@.........
0020: 1108 4858 252a 0369 5ef7 3c31 3332 3e53 ..HX%*.i^.<132>S
0030: 6570 2032 3720 3038 3a32 343a 3232 2043 ep 27 08:24:22 C
0040: 4546 3a30 7c54 7265 6e64 204d 6963 726f EF:0|Trend Micro
0050: 2049 6e63 2e7c 4f53 5345 4320 4849 4453 Inc.|OSSEC HIDS
0060: 7c76 322e 392e 307c 3730 3030 3033 7c42 |v2.9.0|700003|B
0070: 4947 2061 6c65 7274 7c31 307c 6476 633d IG alert|10|dvc=
0080: 6978 2063 7332 3d69 782d 3e2f 7661 722f ix cs2=ix->/var/
0090: 6c6f 672f 6d65 7373 6167 6573 2063 7332 log/messages cs2
00a0: 4c61 6265 6c3d 4c6f 6361 7469 6f6e 2063 Label=Location c
00b0: 6c61 7373 6966 6963 6174 696f 6e3d 206c lassification= l
00c0: 6f63 616c 2c73 7973 6c6f 672c 2073 7573 ocal,syslog, sus
00d0: 6572 3d44 6573 6b74 6f70 2073 7573 6572 er=Desktop suser
00e0: 3d44 6573 6b74 6f70 206d 7367 3d53 6570 =Desktop msg=Sep
00f0: 2032 3720 3038 3a32 343a 3231 2069 7820 27 08:24:21 ix
0100: 5769 6e45 7674 4c6f 673a 2053 6563 7572 WinEvtLog: Secur
0110: 6974 793a 2041 5544 4954 5f53 5543 4345 ity: AUDIT_SUCCE
0120: 5353 2834 3632 3729 3a20 4d69 6372 6f73 SS(4627): Micros
0130: 6f66 742d 5769 6e64 6f77 732d 5365 6375 oft-Windows-Secu
0140: 7269 7479 2d41 7564 6974 696e 673a 2028 rity-Auditing: (
0150: 6e6f 2075 7365 7229 3a20 6e6f 2064 6f6d no user): no dom
0160: 6169 6e3a 2044 6573 6b74 6f70 3a20 3c53 ain: Desktop: <S
0170: 7562 6a65 6374 5365 6375 7269 7479 4944 ubjectSecurityID
0180: 3e20 203c 5573 6572 6e61 6d65 3e20 4445 > <Username> DE
0190: 534b 544f 5020 3078 3138 6436 6663 203c SKTOP 0x18d6fc <
01a0: 5375 626a 6563 7453 6563 7572 6974 7949 SubjectSecurityI
01b0: 443e 203c 5573 6572 6e61 6d65 3e20 4445 D> <Username> DE
01c0: 534b 544f 5020 3078 3637 3533 3766 6135 SKTOP 0x67537fa5
01d0: 2032 2031 2031 205c 5c72 5c5c 6e5c 5c74 2 1 1 \\r\\n\\t
01e0: 5c5c 7425 7b53 2d31 2d35 2d32 312d 7878 \\t%{S-1-5-21-xx
01f0: 7878 7878 7878 7878 2d78 7878 7878 7878 xxxxxxxx-xxxxxxx
0200: 7878 782d 7878 7878 7878 7878 7878 2d78 xxx-xxxxxxxxxx-x
0210: 7878 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 xx}\\r\\n\\t\\t%
0220: 7b53 2d31 2d31 2d30 7d5c 5c72 5c5c 6e5c {S-1-1-0}\\r\\n\
0230: 5c74 5c5c 7425 7b53 2d31 2d35 2d31 3134 \t\\t%{S-1-5-114
0240: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53 }\\r\\n\\t\\t%{S
0250: 2d31 2d35 2d32 312d 7878 7878 7878 7878 -1-5-21-xxxxxxxx
0260: 7878 2d78 7878 7878 7878 7878 782d 7878 xx-xxxxxxxxxx-xx
0270: 7878 7878 7878 7878 2d78 7878 787d 5c5c xxxxxxxx-xxxx}\\
0280: 725c 5c6e 5c5c 745c 5c74 257b 532d 312d r\\n\\t\\t%{S-1-
0290: 352d 3332 2d35 3535 7d5c 5c72 5c5c 6e5c 5-32-555}\\r\\n\
02a0: 5c74 5c5c 7425 7b53 2d31 2d35 2d33 322d \t\\t%{S-1-5-32-
02b0: 3534 357d 5c5c 725c 5c6e 5c5c 745c 5c74 545}\\r\\n\\t\\t
02c0: 257b 532d 312d 352d 3332 2d35 3434 7d5c %{S-1-5-32-544}\
02d0: 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53 2d31 \r\\n\\t\\t%{S-1
02e0: 2d35 2d34 7d5c 5c72 5c5c 6e5c 5c74 5c5c -5-4}\\r\\n\\t\\
02f0: 7425 7b53 2d31 2d32 2d31 7d5c 5c72 5c5c t%{S-1-2-1}\\r\\
0300: 6e5c 5c74 5c5c 7425 7b53 2d31 2d35 2d31 n\\t\\t%{S-1-5-1
0310: 317d 5c5c 725c 5c6e 5c5c 745c 5c74 257b 1}\\r\\n\\t\\t%{
0320: 532d 312d 352d 3135 7d5c 5c72 5c5c 6e5c S-1-5-15}\\r\\n\
0330: 5c74 5c5c 7425 7b53 2d31 2d35 2d31 3133 \t\\t%{S-1-5-113
0340: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53 }\\r\\n\\t\\t%{S
0350: 2d31 2d32 2d30 7d5c 5c72 5c5c 6e5c 5c74 -1-2-0}\\r\\n\\t
0360: 5c5c 7425 7b53 2d31 2d35 2d36 342d 3130 \\t%{S-1-5-64-10
0370: 7d5c 5c72 5c5c 6e5c 5c74 5c5c 7425 7b53 }\\r\\n\\t\\t%{S
0380: 2d31 2d31 362d 3831 3932 7d -1-16-8192}
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to ossec-list+unsubscribe@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic