Parsing Windows Event LOG XML and sending to Graylog
Tags:
#1
giveen
I am trying to send parse each of these XML fields into a field for graylog to handle, any ideas would help.
I've added
Module xm_xml
and
`Exec parse_windows_eventlog_xml(); to_xml();`
but I'm not sure what else to do, I'm trying to work with this in the 'message' field
The Federation Service validated a new credential. See XML for details.
Activity ID: 494a36f8-9b89-4477-8676-0080000000e1
Additional Data
XML:
FreshCredentials
Success
None
N/A
https://xxxxxx.xxxxxxx.edu/adfs/services/trust
AD AUTHORITY
UNIVERSITY\xxxxxxxxxxxxxx
N/A
false
N/A
false
N/A
false
false
NotSet
N/A
N/A
https://xxxxx.xxxxxx.edu/adfs/services/trust
WSFederation
Intranet
x.x.94.22
x.x.128.226
N/A
N/A
N/A
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
/adfs/ls/
#1
giveen
I am trying to send parse each of these XML fields into a field for graylog to handle, any ideas would help.
I've added
<Extension xml>
Module xm_xml
</Extension>
and
Exec parse_windows_eventlog_xml(); to_xml();
but I'm not sure what else to do, I'm trying to work with this in the 'message' field
The Federation Service validated a new credential. See XML for details.
Activity ID: 494a36f8-9b89-4477-8676-0080000000e1
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
<AuditType>FreshCredentials</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>https://xxxxxx.xxxxxxx.edu/adfs/services/trust</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>UNIVERSITY\xxxxxxxxxxxxxx</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>https://xxxxx.xxxxxx.edu/adfs/services/trust</Server>
<AuthProtocol>WSFederation</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>x.x.94.22</IpAddress>
<ForwardedIpAddress>x.x.128.226</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0</UserAgentString>
<Endpoint>/adfs/ls/</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Can you paste relevant parts of your config?
