[Decode Log IIS_MSEXCHANGE ISSUE]

[Khoa Phạm Anh]

HI I have an issue that about MS_EXCHANGE IIS LOG:

This is the all the field:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

Here is my log:

2018-09-16 00:00:09 xxx.xxx.31.24 POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557

My iis log decode now is:

<decoder name="web-accesslog-iis-default">
 <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>
  <regex offset="after_parent">^\S+ (\w+) (\S+ \S+) (\S+) \S+ (\S+) (\S+) \.*(\d\d\d) </regex>
  <order>action, url, srcport, srcip, user_agent, id</order>
</decoder>

and the Result for the log decoded above:

**Phase 2: Completed decoding.
       decoder: 'windows-date-format'
       action: 'POST'
       url: '/Microsoft-Server-ActiveSync/default.eas User=thangdn&DeviceId=I51HJHEMND20F9QFEPSU7LT5F8&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=ZSMLJBRL0YTICIUBVOUG&cafeReqId=83f425f6-653b-405b-b9a0-c0e51f47e21a;'
       srcport: '443'
       srcip: 'xxx.xxx.57.151'
       user_agent: 'Apple-iPhone10C5/1507.77'
       id: '200'

===> I need to parse out the field IP xxx.xxx.31.24 and the User: domainname\tientx but i failed many times.

2018-09-16 00:00:09 xxx.xxx.31.24 POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557

Can you help me to check it

Thanks and Best Regards

[migue...@wazuh.com]

Hi Koah,

You need to use '()' to extract the field you desire and add a variable for them in the correct order.

In this case, your regex match correctly, but you have to include this:

<decoder name="web-accesslog-iis-default">
 <parent>windows-date-format</parent>
  <type>web-log</type>
  <use_own_name>true</use_own_name>
  <prematch offset="after_parent">^\S+ GET |^\S+ POST</prematch>

  <regex offset="after_parent">^(\S+) (\w+) (\S+ \S+) (\S+) (\S+) (\S+) (\S+) \.*(\d\d\d) </regex>
  <order>dstip, action, url, srcport, dstuser, srcip, user_agent, id</order>
</decoder>

Hope it helps.

Best regards,

Miguel

[Borja Arroba]

Sorry, answer this email before and forget to add to the mailing lists.

For the question : "I want to decode that more 2 field to the exists also, not just only 2 field Borja, can you help me please"

You only need to add in the decoder, the name in tag <order> and add '()' in regex expresion:

<regex offset="after_parent">^(\S+) \S+ \S+ \S+ (\S+) (\S+) \S+ \S+ \p (\d+) \d+ \d+ \d+</regex>

<order>srcip, srcport, user_agent, id</order>

Here is my previous answer:

To overwrite a decoder, I recommend that you follow the instructions given in our documentation.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html?highlight=decoder_exclude#changing-an-existing-decoder

For the example, you describe you need to define the prematch field to differentiate from 'web-accesslog-iis5' and 'web-accesslog-iis6' decoders that start differently.

<prematch offset="after_parent">^\S+ \S+</prematch>

Fields that do not have '()' will not be shown in the alert

<regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ (\S+) \S+ \S+ \p \d+ \d+ \d+ \d+</regex>

You can see the regex syntax in:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html#regex-os-regex-syntax

And decoder options and syntax:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html?highlight=decoder#decoders-syntax

The decoder you need is:

<decoder name="web-accesslog-iis-default">

<parent>windows-date-format</parent>

<type>web-log</type>

<use_own_name>true</use_own_name>

<prematch offset="after_parent">^(\S+) (\S+)</prematch>

<regex offset="after_parent">^(\S+) \S+ \S+ \S+ \S+ (\S+) \S+ \S+ \p \d+ \d+ \d+ \d+</regex>

<order>srcip, user_agent</order>

</decoder>

With this decoder you will get the following output, if you need any field more, add it in the <order> tag and select in regex string adding ():

**Phase 1: Completed pre-decoding.

full event: '2018-09-16 00:00:09 xxx.xxx.31.24 POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557'

timestamp: '(null)'

hostname: 'borja-ERAZER-X7853'

program_name: '(null)'

log: '2018-09-16 00:00:09 xxx.xxx.31.24 POST /Microsoft-Server-ActiveSync/default.eas User=tientx&DeviceId=QKRK5NV3DP41HCERF06TESUB3S&DeviceType=iPhone&Cmd=Ping&CorrelationID=<empty>;&ClientId=G9QB9TOUIPLTQKJMZYG&cafeReqId=eda96f2b-85fd-4157-b518-0c41d1a6d39c; 443 domainname\tientx xxx.xxx.39.89 Apple-iPhone8C1/1501.402 - 200 0 0 580557'

**Phase 2: Completed decoding.

decoder: 'windows-date-format'

srcip: 'xxx.xxx.31.24'

user_agent: 'domainname\tientx'

**Phase 3: Completed filtering (rules).

Rule id: '31100'

Level: '0'

Description: 'Access log messages grouped.'

Best regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/054fc535-f55b-4e79-b674-c27041c5b981%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.