EventID 4624 not coming correctly through

#1 Elvar.Böðvarsson 7 years ago

Two related threads I found on this

https://nxlog.co/question/2029/logon-vs-logoff-events-seim
https://nxlog.co/question/1711/configuration-send-windows-security-logs-only

Posted a question the Windows forums as well

https://social.technet.microsoft.com/Forums/windowsserver/en-US/f70aa0fd-9f59-470a-bafe-47c82f4a7151/broken-xml-for-eventid-4624?forum=winserver8gen

There are domain controllers that a logging server connects to using Windows Eventlog Forwarding (poll).

In the eventlog eventid 4624 comes in but in the message field its all % placeholders but the XML data is correct. Before some patching the xml data was broken.

The Data fields looked like this

 <Data Name="AuthenticationPackageName">Kerberos</Data> 
  <Data Name="WorkstationName"> 
    <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> 
  </Data>
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data>

But now are more correct and look like this

 <Data Name="AuthenticationPackageName">Kerberos</Data> 
  <Data Name="WorkstationName" /> 
  <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data>

The issue is only when nothing is in the WorktationName field.

NXlog reads this and converts to JSON and thats where NXlog is obviosly having problems

The JSON looks like this

"AuthenticationPackageName":"Kerberos","WorkstationName' /> <Data Name='LogonGuid":"{B3A6.....

So at the workstation name it fails to parse the XML, possibly because the XML field is closed with /> instead of a full </Data>

Another issue is that the Message field does not come through NXlog at all.

Would love to get some help debugging this.

Permalink

#2 b0ti Nxlog ✓ 7 years ago

#1 Elvar.Böðvarsson

Two related threads I found on this https://nxlog.co/question/2029/logon-vs-logoff-events-seim https://nxlog.co/question/1711/configuration-send-windows-security-logs-only Posted a question the Windows forums as well https://social.technet.microsoft.com/Forums/windowsserver/en-US/f70aa0fd-9f59-470a-bafe-47c82f4a7151/broken-xml-for-eventid-4624?forum=winserver8gen There are domain controllers that a logging server connects to using Windows Eventlog Forwarding (poll). In the eventlog eventid 4624 comes in but in the message field its all % placeholders but the XML data is correct. Before some patching the xml data was broken. The Data fields looked like this <Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName"> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> </Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> But now are more correct and look like this <Data Name="AuthenticationPackageName">Kerberos</Data> <Data Name="WorkstationName" /> <Data Name="LogonGuid">{B3A61084-7036-1568-AFB2-3290B7F943F9}</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> The issue is only when nothing is in the WorktationName field. NXlog reads this and converts to JSON and thats where NXlog is obviosly having problems The JSON looks like this "AuthenticationPackageName":"Kerberos","WorkstationName' /> <Data Name='LogonGuid":"{B3A6..... So at the workstation name it fails to parse the XML, possibly because the XML field is closed with /> instead of a full </Data> Another issue is that the Message field does not come through NXlog at all. Would love to get some help debugging this.

Judging by the sample JSON provided above this is probably a bug, i.e. the XML parser gets confused by <tag/>