Windows Events missing EventData

Tags:

#1 Jens_CERT-BA 4 years ago

Hello,

I'm using NXlog CE 2.10.2150 on a Win2016 server to collect "Forwarded Events" and send to a syslog server as snare formatted. However, some events only contain their System segment, missing their entire EventData.

Here's my configuration (EventData Missing):

<Input eventlog> Module im_msvistalog Query <QueryList>
<Query Id="">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList> </Input>

<Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path eventlog => out </Route>

Resulting in (tcpdump): <14>Nov 11 10:50:37 server2.domain MSWinEventLog 1 Security 2189 Wed Nov 11 10:50:37 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server2.domain Kerberos Authentication Service N/A 998061427

Here's my configuration (EventData Included):

<Input eventlog> Module im_msvistalog Query <QueryList>
<Query Id="">
<Select Path="ForwardedEvents">*</Select>
</Query>
</QueryList> Exec $Message =~ s/(\t|\R)/ /g; Exec $Message = to_json(); </Input>

<Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output>

<Route 1> Path eventlog => out </Route>

Resulting in (tcpdump): <14>Nov 11 10:49:36 server1 MSWinEventLog 1 Security 1593 Wed Nov 11 10:49:36 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server1 Kerberos Authentication Service {"EventTime":"2020-11-11 10:49:36","Hostname":"server1","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328CXXX}","Version":0,"Task":14339,"OpcodeValue":0,"RecordNumber":953757340,"ProcessID":708,"ThreadID":11484,"Channel":"Security","ERROR_EVT_UNRESOLVED":true,"Category":"Kerberos Authentication Service","Opcode":"Info","TargetUserName":"User1","TargetDomainName":"domain","TargetSid":"S-1-5-21-3493186346-123456789-198542525-123456","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-123456789-2449186506-123456525-502","TicketOptions":"0x40000000","Status":"0x0","TicketEncryptionType":"0x12","PreAuthType":"2","IpAddress":"10.xxx.xxx.xxx","IpPort":"33925","EventReceivedTime":"2020-11-11 10:49:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 953757340

As you can see NXLog fills the EventData with "N/A" in my first example and wiht JSON Encoded Full EventData in my Second Example. The Problem I have is my Parser on the syslogserver does not expect JSON Encoded Data.

Any Hints? Thx Johannes

Permalink

#3 rafDeactivated Nxlog ✓ 4 years ago

#1 Jens_CERT-BA

Hello, I'm using NXlog CE 2.10.2150 on a Win2016 server to collect "Forwarded Events" and send to a syslog server as snare formatted. However, some events only contain their System segment, missing their entire EventData. Here's my configuration (EventData Missing): <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id=""> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </Input> <Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => out </Route> Resulting in (tcpdump): <14>Nov 11 10:50:37 server2.domain MSWinEventLog 1 Security 2189 Wed Nov 11 10:50:37 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server2.domain Kerberos Authentication Service N/A 998061427 Here's my configuration (EventData Included): <Input eventlog> Module im_msvistalog Query <QueryList> <Query Id=""> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> Exec $Message =~ s/(\t|\R)/ /g; Exec $Message = to_json(); </Input> <Output out> Module om_tcp Host ip_syslogs_server Port 514 Exec to_syslog_snare(); </Output> <Route 1> Path eventlog => out </Route> Resulting in (tcpdump): <14>Nov 11 10:49:36 server1 MSWinEventLog 1 Security 1593 Wed Nov 11 10:49:36 2020 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit server1 Kerberos Authentication Service {"EventTime":"2020-11-11 10:49:36","Hostname":"server1","Keywords":-9214364837600034816,"EventType":"AUDIT_SUCCESS","SeverityValue":2,"Severity":"INFO","EventID":4768,"SourceName":"Microsoft-Windows-Security-Auditing","ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328CXXX}","Version":0,"Task":14339,"OpcodeValue":0,"RecordNumber":953757340,"ProcessID":708,"ThreadID":11484,"Channel":"Security","ERROR_EVT_UNRESOLVED":true,"Category":"Kerberos Authentication Service","Opcode":"Info","TargetUserName":"User1","TargetDomainName":"domain","TargetSid":"S-1-5-21-3493186346-123456789-198542525-123456","ServiceName":"krbtgt","ServiceSid":"S-1-5-21-123456789-2449186506-123456525-502","TicketOptions":"0x40000000","Status":"0x0","TicketEncryptionType":"0x12","PreAuthType":"2","IpAddress":"10.xxx.xxx.xxx","IpPort":"33925","EventReceivedTime":"2020-11-11 10:49:38","SourceModuleName":"eventlog","SourceModuleType":"im_msvistalog"} 953757340 As you can see NXLog fills the EventData with "N/A" in my first example and wiht JSON Encoded Full EventData in my Second Example. The Problem I have is my Parser on the syslogserver does not expect JSON Encoded Data. Any Hints? Thx Johannes

Hello Johannes,

You might try changing your your Output module from

Exec to_syslog_snare();

Exec    $Message = to_json(); to_syslog_snare();

Let me know if it helps.

Best regards,

Rafal