Change AccountName field | Log collection solutions

#1 pk21 9 years ago

Dear NXlog community,

I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events. All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field.

For example kibana is reporting:

AccountName       SYSTEM
AccountType       User
Category       Account Logon
CategoryNumber       9
Domain           NT AUTHORITY
EventID           675
EventType       AUDIT_FAILURE
FileName       Security
Hostname       SomeHostName
Severity       ERROR
SeverityValue       4
SourceModuleName   eventlog
SourceModuleType   im_mseventlog
SourceName       Security
host           SomeHostName.SomeDomain
message           Pre-authentication failed:
           User Name: [username]
           User ID: %{some user id}
           Service Name: krbtgt/office Pre-Authentication
           Type: 0x0 Failure Code: 0x19
           Client Address: [ip address]

Any help is appreciated!

Permalink

#2 adm Nxlog ✓ 9 years ago (Last updated 9 years ago )

#1 pk21

Dear NXlog community, I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events. All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field. For example kibana is reporting: AccountName SYSTEM AccountType User Category Account Logon CategoryNumber 9 Domain NT AUTHORITY EventID 675 EventType AUDIT_FAILURE FileName Security Hostname SomeHostName Severity ERROR SeverityValue 4 SourceModuleName eventlog SourceModuleType im_mseventlog SourceName Security host SomeHostName.SomeDomain message Pre-authentication failed: User Name: [username] User ID: %{some user id} Service Name: krbtgt/office Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: [ip address] Any help is appreciated!

Windows 2003 uses the older eventlog API and there are only the standard eventlog fields available, on Windows Vista and later you get more fields from the security logs (i.e. TargetUsername, SubjectUserName). The value of TargetUserName one is only available in the Message field on w2k3 so you will need to extract it with a regexp.

You can add the following to your nxlog.conf to extract :

Exec if ($EventID == 675) and ($Message =~ /User Name: (\S+)/) { $TargetUserName = $1; }

The other option is to use pm_pattern. This is recommended if you need to use a lot of extraction and classification rules.