Pastein: user@govno:~$ sudo /var/ossec/bin/wazuh-logtest Starting wazuh-logtest v4.14.5 Type one log per line {"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e

Загрузка данных
user@govno:~$ sudo /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.14.5
Type one log per line

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-05-18T11:37:44.9020824Z","eventRecordID":"1545","processID":"3036","threadID":"1828","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-WORK.amogus.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2026-05-18 11:37:44.896\r\nProcessGuid: {bf911f5c-fa08-6a0a-5001-000000000700}\r\nProcessId: 4192\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nFileVersion: 10.0.19041.117 (WinBuild.160101.0800)\r\nDescription: Notepad\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: NOTEPAD.EXE\r\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\"\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AMOGUS\\Administrator\r\nLogonGuid: {bf911f5c-f4ae-6a0a-657b-120000000000}\r\nLogonId: 0x127B65\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A\r\nParentProcessGuid: {bf911f5c-f4ae-6a0a-0401-000000000700}\r\nParentProcessId: 2256\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \r\nParentUser: AMOGUS\\Administrator\""},"eventdata":{"utcTime":"2026-05-18 11:37:44.896","processGuid":"{bf911f5c-fa08-6a0a-5001-000000000700}","processId":"4192","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","fileVersion":"10.0.19041.117 (WinBuild.160101.0800)","description":"Notepad","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"NOTEPAD.EXE","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"AMOGUS\\\\Administrator","logonGuid":"{bf911f5c-f4ae-6a0a-657b-120000000000}","logonId":"0x127b65","terminalSessionId":"1","integrityLevel":"High","hashes":"MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A","parentProcessGuid":"{bf911f5c-f4ae-6a0a-0401-000000000700}","parentProcessId":"2256","parentImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","parentCommandLine":"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"","parentUser":"AMOGUS\\\\Administrator"}}}

**Phase 1: Completed pre-decoding.
        full event: '{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-05-18T11:37:44.9020824Z","eventRecordID":"1545","processID":"3036","threadID":"1828","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-WORK.amogus.local","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2026-05-18 11:37:44.896\r\nProcessGuid: {bf911f5c-fa08-6a0a-5001-000000000700}\r\nProcessId: 4192\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nFileVersion: 10.0.19041.117 (WinBuild.160101.0800)\r\nDescription: Notepad\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: NOTEPAD.EXE\r\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\"\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: AMOGUS\\Administrator\r\nLogonGuid: {bf911f5c-f4ae-6a0a-657b-120000000000}\r\nLogonId: 0x127B65\r\nTerminalSessionId: 1\r\nIntegrityLevel: High\r\nHashes: MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A\r\nParentProcessGuid: {bf911f5c-f4ae-6a0a-0401-000000000700}\r\nParentProcessId: 2256\r\nParentImage: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nParentCommandLine: \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \r\nParentUser: AMOGUS\\Administrator\""},"eventdata":{"utcTime":"2026-05-18 11:37:44.896","processGuid":"{bf911f5c-fa08-6a0a-5001-000000000700}","processId":"4192","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","fileVersion":"10.0.19041.117 (WinBuild.160101.0800)","description":"Notepad","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"NOTEPAD.EXE","commandLine":"\\\"C:\\\\Windows\\\\system32\\\\notepad.exe\\\"","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"AMOGUS\\\\Administrator","logonGuid":"{bf911f5c-f4ae-6a0a-657b-120000000000}","logonId":"0x127b65","terminalSessionId":"1","integrityLevel":"High","hashes":"MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A","parentProcessGuid":"{bf911f5c-f4ae-6a0a-0401-000000000700}","parentProcessId":"2256","parentImage":"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe","parentCommandLine":"\\\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\"","parentUser":"AMOGUS\\\\Administrator"}}}'

**Phase 2: Completed decoding.
        name: 'json'
        win.eventdata.commandLine: '\"C:\\Windows\\system32\\notepad.exe\"'
        win.eventdata.company: 'Microsoft Corporation'
        win.eventdata.currentDirectory: 'C:\\Windows\\system32\\'
        win.eventdata.description: 'Notepad'
        win.eventdata.fileVersion: '10.0.19041.117 (WinBuild.160101.0800)'
        win.eventdata.hashes: 'MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A'
        win.eventdata.image: 'C:\\Windows\\System32\\notepad.exe'
        win.eventdata.integrityLevel: 'High'
        win.eventdata.logonGuid: '{bf911f5c-f4ae-6a0a-657b-120000000000}'
        win.eventdata.logonId: '0x127b65'
        win.eventdata.originalFileName: 'NOTEPAD.EXE'
        win.eventdata.parentCommandLine: '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"'
        win.eventdata.parentImage: 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
        win.eventdata.parentProcessGuid: '{bf911f5c-f4ae-6a0a-0401-000000000700}'
        win.eventdata.parentProcessId: '2256'
        win.eventdata.parentUser: 'AMOGUS\\Administrator'
        win.eventdata.processGuid: '{bf911f5c-fa08-6a0a-5001-000000000700}'
        win.eventdata.processId: '4192'
        win.eventdata.product: 'Microsoft® Windows® Operating System'
        win.eventdata.terminalSessionId: '1'
        win.eventdata.user: 'AMOGUS\\Administrator'
        win.eventdata.utcTime: '2026-05-18 11:37:44.896'
        win.system.channel: 'Microsoft-Windows-Sysmon/Operational'
        win.system.computer: 'DESKTOP-WORK.amogus.local'
        win.system.eventID: '1'
        win.system.eventRecordID: '1545'
        win.system.keywords: '0x8000000000000000'
        win.system.level: '4'
        win.system.message: '"Process Create:
RuleName: -
UtcTime: 2026-05-18 11:37:44.896
ProcessGuid: {bf911f5c-fa08-6a0a-5001-000000000700}
ProcessId: 4192
Image: C:\Windows\System32\notepad.exe
FileVersion: 10.0.19041.117 (WinBuild.160101.0800)
Description: Notepad
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: NOTEPAD.EXE
CommandLine: "C:\Windows\system32\notepad.exe"
CurrentDirectory: C:\Windows\system32\
User: AMOGUS\Administrator
LogonGuid: {bf911f5c-f4ae-6a0a-657b-120000000000}
LogonId: 0x127B65
TerminalSessionId: 1
IntegrityLevel: High
Hashes: MD5=F65B883128779592CCA7D01CC87937BF,SHA256=2F3DAF08B248B0A8AA0C47BA81864BE7D379A0229599CDEC3B93281B57FCD280,IMPHASH=4089A6EA56504C3C66D7744AC0A8131A
ParentProcessGuid: {bf911f5c-f4ae-6a0a-0401-000000000700}
ParentProcessId: 2256
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 
ParentUser: AMOGUS\Administrator"'
        win.system.opcode: '0'
        win.system.processID: '3036'
        win.system.providerGuid: '{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
        win.system.providerName: 'Microsoft-Windows-Sysmon'
        win.system.severityValue: 'INFORMATION'
        win.system.systemTime: '2026-05-18T11:37:44.9020824Z'
        win.system.task: '1'
        win.system.threadID: '1828'
        win.system.version: '5'
Больше возможностей при регистрации:
