# Copyright (c) 2014 Flowerfire, Inc. All Rights Reserved. ossec_alert = { plugin_version = "1.0" info.1.manufacturer = "OSSEC" info.1.device = "Alert Log" info.1.version.1 = "" # 2014-01-17 - 1.0 - GMF - Initial implementation # The name of the log format log.format.format_label = "OSSEC Alert Log Format" log.miscellaneous.log_data_type = "other" log.miscellaneous.log_format_type = "other" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_regular_expression = "^[*][*] Alert [0-9]+[.][0-9]+: - " # Use parsing filters log.format.parse_only_with_filters = true # Log fields log.fields = { date = "" time = "" type = "" hostname = "" ip_address = "" rule = "" user = "" message = "" events = "" } # log.fields #** Alert 1386050401.15823: - windows,authentication_success, #2013 Dec 03 00:00:01 (domain01.abc.com) 12.34.56.78->WinEvtLog #Rule: 18107 (level 3) -> 'Windows Logon Success.' #User: DOMAIN01$ #WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: DOMAIN01$: UW-UHS: domain01.abc.com: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: DOMAIN01$ Account Domain: UW-UHS Logon ID: 0xeeba971 Logon GUID: {57C4A82C-2B4A-F32D-14DA-CCD04D1D5069} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: fe80::1ae9:ae14:c1e4:f3c4 Source Port: 51975 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. log.parsing_filters.parse = ` if (matches_regular_expression(current_log_line(), "^[*][*] Alert [0-9]+[.][0-9]+: - (.*)$")) then set_collected_field('', 'type', $1); else if (matches_regular_expression(current_log_line(), "^([0-9]+) ([A-Z][a-z][a-z]) ([0-9]+) ([0-9:]+) [(]([^)]+)[)] ([0-9.]+)->(.*)$")) then ( set_collected_field('', 'date', $3 . '/' . $2 . '/' . $1); set_collected_field('', 'time', $4); set_collected_field('', 'hostname', $5); set_collected_field('', 'ip_address', $6); ); else if (matches_regular_expression(current_log_line(), "^Rule: (.*)$")) then set_collected_field('', 'rule', $1); else if (matches_regular_expression(current_log_line(), "^User: (.*)$")) then set_collected_field('', 'user', $1); else if (matches_regular_expression(current_log_line(), "^WinEvtLog: (.*)$")) then ( set_collected_field('', 'message', $1); accept_collected_entry('', false); ); ` # parsing filters # Database fields database.fields = { date_time = "" day_of_week = "" hour_of_day = "" type = "" hostname = "" ip_address = "" rule = "" user = "" message = { type = "unnormalized_string" index = false add_default_xref_table = false } # message } # database.fields database.numerical_fields = { events = { default = true entries_field = true } # events } # database.numerical_fields log.filters = { mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'events = 1;' } # mark_entry } # log.filters create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" } # report_groups } # create_profile_wizard_options } # ossec_alert