Information missing from certain Windows events

View thread

rom

We are an MSSP that uses NXLog CE (3.2.2329) installed on a Windows Server acting as a Windows Event Collector (WEC) to forward events from the forwarded events channel to a syslog collector that sends everything to our SIEM.

TL;DR

Certain Windows Events send to our SIEM via NXLog are missing the <EventData> information whereas Event Viewer shows a complete event on the logsource host where NXLog is installed on. 

Longer version

The current setup is:

  • Domain Controllers forward their security events using Windows Event Forwarding to our WEC using a source initiated event subscription where the content format is set to ‘Events’ instead of the default ‘RenderedText’ (this change helped solve similar issues where data was missing from events send via NXLog).
    • We've verified that these security events are present in the forwarded events channel on the WEC with a complete XML of the events.
  • NXLog CE (3.2.2329) is installed on this WEC using the following nxlog.conf file:
Panic Soft
#NoFreeOnExit TRUE

define ROOT C:\Program Files\nxlog define CERTDIR %ROOT%\cert define CONFDIR %ROOT%\conf\nxlog.d define LOGDIR %ROOT%\data

include %CONFDIR%\*.conf define LOGFILE %LOGDIR%\nxlog.log LogFile %LOGFILE%

Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data

<Extension _syslog> Module xm_syslog </Extension>

<Extension _charconv> Module xm_charconv AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32 </Extension>

<Extension _exec> Module xm_exec </Extension>

<Extension _fileop> Module xm_fileop

# Check the size of our log file hourly, rotate if larger than 5MB
&lt;Schedule&gt;
    Every   1 hour
    Exec    if (file_exists('%LOGFILE%') and \
               (file_size('%LOGFILE%') &gt;= 5M)) \
                file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

# Rotate our log file every week on Sunday at midnight
&lt;Schedule&gt;
    When    @weekly
    Exec    if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
&lt;/Schedule&gt;

</Extension>

<Input Security> Module im_msvistalog <QueryXML> <QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents">*</Select> </Query> </QueryList> </QueryXML> </Input>

<Output DL> Module om_tcp Host 123.123.123.123 Port 514 Exec to_syslog_snare(); </Output>

<Route eventlog_to_DL> Path Security => DL </Route>

  • NXLog sends logs to a syslog collector in the same network
  • This syslog collector has SIEM agent software forwarding events to our SIEM
    • In our SIEM we can see all events coming in from the syslog collector, including NXLog Windows events, however some appear to be missing data found in the <EventData> field in the XML of the actual event.

The event id's we're having issues with are Windows event ID 4662,4768 and 4776.

Other event id's are coming in ‘complete’ as expected such as this event id 4672:

<14>Dec  8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986982 Fri Dec 08 11:32:42 2023 4672 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Special Logon  Special privileges assigned to new logon.    Subject:   Security ID:  S-1-5-21-2155563959-1375260949-369746351-17469   Account Name:  server123$   Account Domain:  EXAMPLE   Logon ID:  0x4D8729AC    Privileges:  SeSecurityPrivilege     SeDebugPrivilege 773449975

Or event id 5140:

<14>Dec  8 11:32:37 dc2.example.com MSWinEventLog 1 Security 5986753 Fri Dec 08 11:32:37 2023 5140 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com File Share  A network share object was accessed.     Subject:   Security ID:  S-1-5-21-2155563959-1375260949-369746351-18565   Account Name:  netwrixsvc   Account Domain:  EXAMPLE   Logon ID:  0x4D86D440    Network Information:    Object Type:  File   Source Address:  172.30.10.10   Source Port:  51173     Share Information:   Share Name:  \*\ADMIN$   Share Path:  ??\C:\Windows    Access Request Information:   Access Mask:  0x1   Accesses:  ReadData (or ListDirectory)         773449390

 

Whereas we receive the following information for the troubled event id's:

4776

<11>Dec  8 11:32:29 dc2.example.com MSWinEventLog 3 Security 5986385 Fri Dec 08 11:32:29 2023 4776 Microsoft-Windows-Security-Auditing N/A N/A Failure Audit dc2.example.com Credential Validation  N/A 773449044

4662

<14>Dec  8 11:32:42 dc2.example.com MSWinEventLog 1 Security 5986976 Fri Dec 08 11:32:42 2023 4662 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Directory Service Access  N/A 773449958

4768

<14>Dec  8 11:32:41 dc2.example.com MSWinEventLog 1 Security 5986915 Fri Dec 08 11:32:41 2023 4768 Microsoft-Windows-Security-Auditing N/A N/A Success Audit dc2.example.com Kerberos Authentication Service  N/A 773449814

 

Due to the vast amount of events received by the WEC, extracting a subset of events for troubleshooting provided more challenging than expected. Nevertheless, the customer responsible for the WEC was able to provide me with an .evtx file containing some of the event id 4768 logs. 

These appear perfectly fine as shown in the screenshot and XML output below:


<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-12-07T10:32:31.691008600Z" />
<EventRecordID>4520638617</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="1424" />
<Channel>Security</Channel>
<Computer>dc1.example.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">netwrixsvc</Data>
<Data Name="TargetDomainName">example</Data>
<Data Name="TargetSid">S-1-5-21-2155563959-1375260949-369746351-18565</Data>
<Data Name="ServiceName">krbtgt</Data>
<Data Name="ServiceSid">S-1-5-21-2155563959-1375260949-369746351-502</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x0</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:172.30.10.10</Data>
<Data Name="IpPort">49712</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>

 

What could possibly be the cause for these issues? Where can I check next?