Ossec windows agent support for Windows event trace logs (.etl ) format #665
Comments
|
Requesting a bump in priority for this, if it hasn't been previously handled. I would like to monitor DNS requests (to a Windows Server 2012 DNS server) and process them through CDB Malware Domain matching and Windows Server 2012 DNS requests are only logged using the .etl format. Some Microsoft coding documentation regarding Event Trace Log format refers to the following functions (hope this helps!) OpenTrace Function ProcessTrace Function CloseTrace Function |
|
On Thu, Oct 6, 2016 at 10:42 AM, drewbeebe notifications@github.com wrote:
You can submit a pull request on github: https://github.com/ossec/ossec-hids
|
|
@drewbeebe check out packetbeat from elastic, it can monitor Dns |
|
Also looking to read ETL natively in ossec. Suspect it will get more popular as 2016 natively outputs DNS logs in this format, and 2012R2 does with a hotfix. |
|
This may become more prevalent shortly as monitoring DNS has become a necessity for large environments. Proven data ex-filtration by DNS etc might speed this up. |
|
I couldn't agree more. Although, a suggestion was made to use other tools (in this thread) and I believe those that have used those other tools have met with success.
…-Drew
On Sep 13, 2017, at 1:37 AM, Louis Bernardo ***@***.***> wrote:
This may become more prevalent shortly as monitoring DNS has become a necessity for large environments. Proven data ex-filtration by DNS etc might speed this up.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Unfortunately there isn't a lot of interest in working on the Windows agent at the moment. We'd love for some volunteers to jump in though! |
|
Can anyone point me in the direction of a primer so I can see what an undertaking it is?
…-Drew
On Sep 14, 2017, at 9:44 AM, Dan Parriott ***@***.***> wrote:
Unfortunately there isn't a lot of interest in working on the Windows agent at the moment. We'd love for some volunteers to jump in though!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I'm not aware of any primers or anything, but you'd need to know a bit of C for the Windows platform. |
|
You can read the existing event log and event channel code. Might be of some help getting an idea of what the work is like: https://github.com/ossec/ossec-hids/blob/master/src/logcollector/read_win_event_channel.c |
|
I haven't downloaded it yet, but this looks promising: |
Refer to the thread opend in Ossec -list .
https://groups.google.com/forum/#!topic/ossec-list/o1SXX5Wk0A0
All issues has been discussed in this thread ..
The text was updated successfully, but these errors were encountered: