On Wed, Jun 15, 2016 at 9:24 AM, Kevin Branch
<
ke...@branchnetconsulting.com> wrote:
> I think it would be ideal for the agent to decode the %% access rights codes
> and then send the logs along looking like the Windows event viewer would
> display them. Not only would the stored logs be much easier to meaningfully
> review, but also building OSSEC rules to fire on specific audit events would
> be easier as the names of access rights rather than the codes could be keyed
> on.
>
> I would like to think there was a Window API call for getting the access
> rights name that corresponds to a given %% code, but I have very little
> insight at this level, not having Windows development experience. If a
> suitable API call cannot be found, it does appear that the number of codes
> is small enough that it could be hard coded into the agent, assuming the
> codes are consistent across Windows versions. For example, there are about
> 15 access rights names associated with file audit events according to:
>
>
>
https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx
>
>
> I have been tasked by a client to set up Logstash translation of %% access
> rights codes to names in Windows audit logs events. Once I have a table of
> codes to names worked out, would you all be interested in potentially
> incorporating it into the OSSEC agent? I'd be happy to share it.
>