Discussion:
[ossec-list] I need help with a decoder and rule for Windows application events
Chad Harbin
2018-11-07 18:41:25 UTC
Permalink
Guys,

I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.

Here is what I am working with. Not sure how to make this work.

2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication:
(no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
[(null)] - Successful login for: ***@example.com

<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>

<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>

Here is what I get from the logtest.

**Phase 1: Completed pre-decoding.
full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'

**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-07 18:53:52 UTC
Permalink
Guys,
I really need your help. I am new to this and not getting very far. Our developer created a custom ASP . Net application that logs to the Application event logs when a user Successfully or Fails to login to the app.
Here is what I am working with. Not sure how to make this work.
You got this from archives.log, right? The first part ("2018 Nov 02
17:52:42 (example.com) 10.0.10.120->WinEvtLog ") is a header, and
shouldn't be included.

The initial decoding looks like this (using ossec-logtest):
**Phase 1: Completed pre-decoding.
full event: '2018 Nov 02 13:52:39 WinEvtLog: Application:
INFORMATION(10): Extranet.WebApplication: (no user): no domain:
example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger [(null)]
- Successful login for: ***@example.com'
hostname: 'ix'
program_name: 'WinEvtLog'
log: 'Application: INFORMATION(10): Extranet.WebApplication:
(no user): no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO
GeneralLogger [(null)] - Successful login for: ***@example.com'

**Phase 2: Completed decoding.
decoder: 'windows'
status: 'INFORMATION'
id: '10'
extra_data: 'Extranet.WebApplication'
dstuser: '(no user)'
system_name: 'example.com'

**Phase 3: Completed filtering (rules).
Rule id: '18101'
Level: '0'
Description: 'Windows informational event.'

So you can probably build off of the windows decoder, unless (see below)...
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
This looks very strange. It suggests something is wrong, or the
environment is heavily customized.
Heavy customization would limit the amount of help I can offer.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chad Harbin
2018-11-07 18:59:07 UTC
Permalink
Yes getting the logs from archives.log. I am open to any suggestion on how
to decode these logs. Please provide examples and thank you.
Post by Chad Harbin
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-07 19:16:15 UTC
Permalink
Yes getting the logs from archives.log. I am open to any suggestion on how to decode these logs. Please provide examples and thank you.
Between "windows" and "windows1":
<decoder name="windows2">
<type>windows</type>
<parent>windows</parent>
<prematch>GeneralLogger</prematch>
<regex> GeneralLogger \S+ - (\.+) for: (\S+)</regex>
<order>status, srcuser</order>
</decoder>
Guys,
I really need your help. I am new to this and not getting very far. Our developer created a custom ASP . Net application that logs to the Application event logs when a user Successfully or Fails to login to the app.
Here is what I am working with. Not sure how to make this work.
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chad Harbin
2018-11-07 19:22:13 UTC
Permalink
I get the following when I run logtest.

**Phase 2: Completed decoding.
No decoder matched.
Post by Chad Harbin
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-07 22:16:08 UTC
Permalink
Post by Chad Harbin
I get the following when I run logtest.
**Phase 2: Completed decoding.
No decoder matched.
The initial teat you posted also had something other than “windows” as the
decoder. Something’s strange with your install, it seems much more
customized than I can help you with. Without access to the system or
configs anyway
Post by Chad Harbin
Post by Chad Harbin
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42
example.com: 2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] -
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chad Harbin
2018-11-08 15:14:38 UTC
Permalink
That decoder is coming from /var/ossec/etc/decoders/local_decoder.xml entry
that I added. I removed otpextranet in the example I originally posted and
changed to extranet.

<decoder name="otpextranet">
<prematch>10.0.10.120</prematch>
</decoder>

and when I run log test I get becuase it matches the IP.

**Phase 2: Completed decoding.
decoder: 'otpextranet'
Post by Chad Harbin
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-08 15:24:27 UTC
Permalink
That decoder is coming from /var/ossec/etc/decoders/local_decoder.xml entry that I added. I removed otpextranet in the example I originally posted and changed to extranet.
Ok, so that won't match with the actual log messages you're receiving.
<decoder name="otpextranet">
<prematch>10.0.10.120</prematch>
</decoder>
and when I run log test I get becuase it matches the IP.
**Phase 2: Completed decoding.
decoder: 'otpextranet'
Guys,
I really need your help. I am new to this and not getting very far. Our developer created a custom ASP . Net application that logs to the Application event logs when a user Successfully or Fails to login to the app.
Here is what I am working with. Not sure how to make this work.
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Chad Harbin
2018-11-08 15:39:51 UTC
Permalink
I get a match with the following decoder but nothing afterwards

This works
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>

But this doesn't
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Post by Chad Harbin
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-08 15:41:34 UTC
Permalink
Post by Chad Harbin
I get a match with the following decoder but nothing afterwards
This works
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
I'm not sure why you get a match, that string doesn't appear in the
log message you provided:
2018 Nov 02 13:52:39 WinEvtLog: Application: INFORMATION(10):
Extranet.WebApplication: (no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO
Post by Chad Harbin
But this doesn't
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Guys,
I really need your help. I am new to this and not getting very far. Our developer created a custom ASP . Net application that logs to the Application event logs when a user Successfully or Fails to login to the app.
Here is what I am working with. Not sure how to make this work.
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
dan (ddp)
2018-11-08 15:45:43 UTC
Permalink
Post by dan (ddp)
Post by Chad Harbin
I get a match with the following decoder but nothing afterwards
This works
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
I'm not sure why you get a match, that string doesn't appear in the
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO
To further explain, the message you provided includes a header that is
written to archives.log:
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
13:52:39 WinEvtLog: Application: INFORMATION(10):
Extranet.WebApplication: (no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO
GeneralLogger [(null)] - Successful login for: ***@example.com

Everything before the second timestamp is the header. analysisd does
not see that information when analyzing the actual event. The log
message it sees is:
2018 Nov 02 13:52:39 WinEvtLog: Application: INFORMATION(10):
Extranet.WebApplication: (no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO
GeneralLogger [(null)] - Successful login for: ***@example.com

So this is the log message you need to test against. As you can see,
the IP adress you have in your prematch does not match this log
message.
This is probably why I got different results (my tests matched the
windows decoder) than you.
Post by dan (ddp)
Post by Chad Harbin
But this doesn't
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Guys,
I really need your help. I am new to this and not getting very far. Our developer created a custom ASP . Net application that logs to the Application event logs when a user Successfully or Fails to login to the app.
Here is what I am working with. Not sure how to make this work.
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...