AV - Alert - "1464101661" --> RID: "18107"; RL: "3"; RG: "windows,authentication_success,"; RC: "Windows Logon Success."; USER: "CS728164$"; SRCIP: "None"; HOSTNAME: "(wxapssccmp02) 172.31.85.20->WinEvtLog"; LOCATION: "(wxapssccmp02) 172.31.85.20->WinEvtLog"; EVENT: "[INIT]2016 May 24 15:54:24 WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: CS728164$: WWCORP: WXAPSSCCMP02.wwcorp.ad.com: An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: S-1-5-21-2620467932-2985055717-1971156654-35314 Account Name: CS728164$ Account Domain: WWCORP Logon ID: 0x39c93d0b Logon GUID: {FC27F335-2FC6-ED5B-4900-B7F72E732058} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: 192.168.177.14 Source Port: 53463 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. [END]";
I'd like to have fields for hostname, IP, username if possible? I know NXLOG does an amazing job of doing all of this but management want to use alienvault/ossec and don't want multiple agents on servers
OSSEC.PNG
You do not have the required permissions to view the files attached to this post.
Paul S - Using Nagios XI, Network Analyzer, Log Server
I'm not going to attempt to look at your data, but yes, grok is your friend. Full details on how to grok patterns is available at https://www.elastic.co/guide/en/logstas ... -grok.html and there are lots of examples of things if you do some searching.
@eloyd is right - this is related to Grok filtering. You will need to set one up to parse the logs that are coming in, which will allow you to create fields.
