raw logs from windows
235 views
Skip to first unread message
Andrey
Oct 18, 2023, 7:47:34 AM10/18/23
to Wazuh | Mailing List
Hi everyone
how do raw logs from windows logs look like? for example 4624 and 4625.
Exactly before processing by docoders and rules.
I found the full_log field in archives, but there is json there
and judging by the examples in the repository (found in the file with windows decoders) it should be in this format
2017 Apr 18 17:30:52 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-1: An account failed to log on. Subject: Security ID: S-1-5-10 Account Name: WIN-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 10 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Santiago Account Domain: test2 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0xb50 Caller Process Name: C:/\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN-1 Source Network Address: 17.217.25.247 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It.
how do raw logs from windows logs look like? for example 4624 and 4625.
Exactly before processing by docoders and rules.
I found the full_log field in archives, but there is json there
and judging by the examples in the repository (found in the file with windows decoders) it should be in this format
2017 Apr 18 17:30:52 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-1: An account failed to log on. Subject: Security ID: S-1-5-10 Account Name: WIN-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 10 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Santiago Account Domain: test2 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0xb50 Caller Process Name: C:/\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN-1 Source Network Address: 17.217.25.247 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It.
Isaiah Daboh
Oct 18, 2023, 9:19:25 AM10/18/23
to Wazuh | Mailing List
Hello,
The example you have is exactly what the raw logs look like before processing. You can have the user friendly view and xml from here
Regards,
Reply all
Reply to author
Forward
0 new messages