7696081852

■j' O U € VQUlt

creators of ossii

5 wmi-application-logger.cfg [configi

cypo-deteccor

e=/etc/ossim/agent/wmi_credentiałs.c

Win32_NTLogEvent Where Logfile = 'Application'" I head -n 3 | taił -n 1 | cut -f 2 -d \l

;; OSS_WMI_USER, OSS_WMI_PASS and 0SS_WMI_H0ST should be used if substitutions are reąuired.

OSS_COUNTER is a *must* and is the integec cetucned above

cmd = wmic -U OSS_WMI_USER%OSS_WMI_PASS //OSS_WMI_HOST "Select

Win32_NTLogEvent Where Logfile = 'Application' and RecordNumber > OSS_COUNTER" | cat start_regexp=^A([^A\l]+)\l<\d+)\I([^A\l)+)\I

regexp="^A(?P<system_name>[^A\11+)\I(?P<plugin_sid>\d+)\Ie?P<logfile>[^A\11+1\I(?P<message>[^A\11 +)\l(?P<recordnumber>[^A\I1+1\I(?P<sourcename>[^A\l)+)\l(?P<timewritten>[^A\I1+)\I(?P<userhame>.

userdata2={$21

userdata3=[$3)

ujujuj. VQult.com