Chad Harbin
2018-11-07 18:41:25 UTC
Guys,
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication:
(no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
[(null)] - Successful login for: ***@example.com
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
I really need your help. I am new to this and not getting very far. Our
developer created a custom ASP . Net application that logs to the
Application event logs when a user Successfully or Fails to login to the
app.
Here is what I am working with. Not sure how to make this work.
2018 Nov 02 17:52:42 (example.com) 10.0.10.120->WinEvtLog 2018 Nov 02
13:52:39 WinEvtLog: Application: INFORMATION(10): Extranet.WebApplication:
(no user):
no domain: example.com: 2018-11-02 13:52:39,622 [25] INFO GeneralLogger
[(null)] - Successful login for: ***@example.com
<decoder name="extranet">
<prematch>10.0.10.120</prematch>
</decoder>
<decoder name="extranet-auth">
<parent>extranet</parent>
<prematch offset="after_parent">^- </prematch>
<regex offset="after_parent">^(\S+) login for: (\S+)</regex>
<order>status, extra_data</order>
</decoder>
Here is what I get from the logtest.
**Phase 1: Completed pre-decoding.
full event: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'
timestamp: '(null)'
hostname: 'ip-10-0-10-15'
program_name: '(null)'
log: '10.0.10.120->WinEvtLog 2018 Nov 07 13:00:42 WinEvtLog:
Application: INFORMATION(10): EXTRANET: (no user): no domain: example.com:
2018-11-07 13:00:42,209 [36] INFO GeneralLogger [(null)] - Successful
login for: ***@example.com'
**Phase 2: Completed decoding.
decoder: 'otpextranet'
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.