Hello, A few weeks ago we posted a collection of patterns for Windows 2k8 (but most of it should work also with other releases). While there were many people downloading it, I received no feedback at all. So I'd like to ask, what are your experiences with it? Where could it be improved? Please leave your comments here or answer me in private (some UNIX admins tend to keep it secret, that they also deal with Windows machines :-) ), so we could make our Windows patterns more useful for you! For those, who missed the original announcement, you can read it at https://czanik.blogs.balabit.com/2011/07/patterns-for-windows-server-2008/ Bye, -- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Le 01/09/2011 10:29, Peter Czanik a écrit :
Hello,
A few weeks ago we posted a collection of patterns for Windows 2k8 (but most of it should work also with other releases). While there were many people downloading it, I received no feedback at all. So I'd like to ask, what are your experiences with it? Where could it be improved?
Please leave your comments here or answer me in private (some UNIX admins tend to keep it secret, that they also deal with Windows machines :-) ), so we could make our Windows patterns more useful for you!
For those, who missed the original announcement, you can read it at https://czanik.blogs.balabit.com/2011/07/patterns-for-windows-server-2008/
Bye,
Hello Peter Currently, I try to use your pattern as a model for a current project we have at work : 1. detect file system event log messages (access, write, delete, creation ...), 2. extract information from them (user name, domain name, file pathname ...) 3. use extracted information to write new log messages following a predefined template I am currently at stage 1) : I have to choose the correct log messages. Caution : messages are in French. And I am not sure than I will be able to generate the new log messages with the extracted information. So, yes, your Windows logs pattern file is a really usefull file for us ! BR Christophe ***************************************************** "Le contenu de ce courriel et ses éventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire. Attention : L'organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'organisme sauf s'il en est disposé autrement dans le présent courriel." ******************************************************
My issue is that I use eventlog-to-syslog, so the patterns don't work for me. On Thu, Sep 1, 2011 at 8:27 AM, Christophe Brocas <christophe.brocas@cnamts.fr> wrote:
Le 01/09/2011 10:29, Peter Czanik a écrit :
Hello,
A few weeks ago we posted a collection of patterns for Windows 2k8 (but most of it should work also with other releases). While there were many people downloading it, I received no feedback at all. So I'd like to ask, what are your experiences with it? Where could it be improved?
Please leave your comments here or answer me in private (some UNIX admins tend to keep it secret, that they also deal with Windows machines :-) ), so we could make our Windows patterns more useful for you!
For those, who missed the original announcement, you can read it at https://czanik.blogs.balabit.com/2011/07/patterns-for-windows-server-2008/
Bye,
Hello Peter
Currently, I try to use your pattern as a model for a current project we have at work :
1. detect file system event log messages (access, write, delete, creation ...), 2. extract information from them (user name, domain name, file pathname ...) 3. use extracted information to write new log messages following a predefined template
I am currently at stage 1) : I have to choose the correct log messages. Caution : messages are in French.
And I am not sure than I will be able to generate the new log messages with the extracted information.
So, yes, your Windows logs pattern file is a really usefull file for us !
BR Christophe
***************************************************** "Le contenu de ce courriel et ses éventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.
Attention : L'organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'organisme sauf s'il en est disposé autrement dans le présent courriel." ******************************************************
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello, On 09/01/2011 06:30 PM, Martin Holste wrote:
My issue is that I use eventlog-to-syslog, so the patterns don't work for me.
Do you know what the differences are? I mean, it's random, or the current patterns can be transformed to be useful by eventlog-to-syslog by adding/removing fields, changing line breaks, etc. Bye, CzP
On Thu, Sep 1, 2011 at 8:27 AM, Christophe Brocas <christophe.brocas@cnamts.fr> wrote:
Le 01/09/2011 10:29, Peter Czanik a écrit :
Hello,
A few weeks ago we posted a collection of patterns for Windows 2k8 (but most of it should work also with other releases). While there were many people downloading it, I received no feedback at all. So I'd like to ask, what are your experiences with it? Where could it be improved?
Please leave your comments here or answer me in private (some UNIX admins tend to keep it secret, that they also deal with Windows machines :-) ), so we could make our Windows patterns more useful for you!
For those, who missed the original announcement, you can read it at https://czanik.blogs.balabit.com/2011/07/patterns-for-windows-server-2008/
Bye,
Hello Peter
Currently, I try to use your pattern as a model for a current project we have at work :
1. detect file system event log messages (access, write, delete, creation ...), 2. extract information from them (user name, domain name, file pathname ...) 3. use extracted information to write new log messages following a predefined template
I am currently at stage 1) : I have to choose the correct log messages. Caution : messages are in French.
And I am not sure than I will be able to generate the new log messages with the extracted information.
So, yes, your Windows logs pattern file is a really usefull file for us !
BR Christophe
***************************************************** "Le contenu de ce courriel et ses éventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.
Attention : L'organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'organisme sauf s'il en est disposé autrement dans le présent courriel." ******************************************************
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Here's the pattern ruleset for evtsys, as available in ELSA, where i0 is the Windows event ID and s0 is the username. <ruleset name="Windows_evtsys" id='4'> <!-- no program pattern --> <rules> <rule provider="DET" class='4' id='4'> <patterns> <pattern>@NUMBER:i0:@: @ESTRING:s0::@</pattern> <pattern>@NUMBER:i0:@: @ANYSTRING::@</pattern> </patterns> <examples> <example> <test_message program="Service_Control_Manager">7035: NT AUTHORITYSYSTEM: The COH_Mon service was successfully sent a start control.</test_message> <test_values> <test_value name="i0">7035</test_value> <test_value name="s0">NT AUTHORITYSYSTEM</test_value> </test_values> </example> <example> <test_message program="SceCli">1202: Security policies were propagated with warning. 0x4b8 : An extended error has occurred. For best results in resolving this event, log on with a non-administrative account and search http://support.microsoft.com for "Troubleshooting Event 1202's".</test_message> <test_value name="i0">1202</test_value> <test_value name="s0">Security policies were propagated with warning. 0x4b8 </test_value> </example> </examples> </rule> </rules> </ruleset> On Fri, Sep 2, 2011 at 3:17 AM, Peter Czanik <czanik@balabit.hu> wrote:
Hello,
On 09/01/2011 06:30 PM, Martin Holste wrote:
My issue is that I use eventlog-to-syslog, so the patterns don't work for me.
Do you know what the differences are? I mean, it's random, or the current patterns can be transformed to be useful by eventlog-to-syslog by adding/removing fields, changing line breaks, etc. Bye, CzP
On Thu, Sep 1, 2011 at 8:27 AM, Christophe Brocas <christophe.brocas@cnamts.fr> wrote:
Le 01/09/2011 10:29, Peter Czanik a écrit :
Hello,
A few weeks ago we posted a collection of patterns for Windows 2k8 (but most of it should work also with other releases). While there were many people downloading it, I received no feedback at all. So I'd like to ask, what are your experiences with it? Where could it be improved?
Please leave your comments here or answer me in private (some UNIX admins tend to keep it secret, that they also deal with Windows machines :-) ), so we could make our Windows patterns more useful for you!
For those, who missed the original announcement, you can read it at https://czanik.blogs.balabit.com/2011/07/patterns-for-windows-server-2008/
Bye,
Hello Peter
Currently, I try to use your pattern as a model for a current project we have at work :
1. detect file system event log messages (access, write, delete, creation ...), 2. extract information from them (user name, domain name, file pathname ...) 3. use extracted information to write new log messages following a predefined template
I am currently at stage 1) : I have to choose the correct log messages. Caution : messages are in French.
And I am not sure than I will be able to generate the new log messages with the extracted information.
So, yes, your Windows logs pattern file is a really usefull file for us !
BR Christophe
***************************************************** "Le contenu de ce courriel et ses éventuelles pièces jointes sont confidentiels. Ils s'adressent exclusivement à la personne destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez reçu par erreur, et afin de ne pas violer le secret des correspondances, vous ne devez pas le transmettre à d'autres personnes ni le reproduire. Merci de le renvoyer à l'émetteur et de le détruire.
Attention : L'organisme de l'émetteur du message ne pourra être tenu responsable de l'altération du présent courriel. Il appartient au destinataire de vérifier que les messages et pièces jointes reçus ne contiennent pas de virus. Les opinions contenues dans ce courriel et ses éventuelles pièces jointes sont celles de l'émetteur. Elles ne reflètent pas la position de l'organisme sauf s'il en est disposé autrement dans le présent courriel." ******************************************************
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Peter Czanik (CzP) <czanik@balabit.hu> BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Christophe Brocas
-
Martin Holste
-
Peter Czanik