Specific windows event 1102 not getting UserData

Tags:

#1 system0845 8 years ago

Hi,

We have the following configuration for event id 1102 (eventlog cleared):

<Input clearev>
    Module      im_msvistalog
Query   <QueryList>\
    <Query Id="3">\
     <Select Path="Security">*[System[(EventID=1102)]]</Select>\
           </Query>\
           </QueryList>
Exec delete($Message);
Exec $Message = to_json();
Exec $SyslogFacilityValue = 17; $SyslogSeverityValue=6;
</Input>

The received message is like that:

Feb 29 10:37:17 XXXXXXXX.sdsd.local Microsoft-Windows-Eventlog[1004]: {"EventTime":"2016-02-29 10:37:17","Hostname":"XXXXXXXX.sdsd.local","Keywords":4620693217682128896,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1102,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"Task":104,"OpcodeValue":0,"RecordNumber":124745,"ProcessID":1004,"ThreadID":7792,"Channel":"Security","Category":"Effacement de journal","Opcode":"Informations","EventReceivedTime":"2016-02-29 10:37:18","SourceModuleName":"clearev","SourceModuleType":"im_msvistalog"}

As you can see the SubjectUserName information is missing.

But if we look at the detailed view in the eventviewer we can find the information in the XML data:

~~ <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2016-02-29T09:37:17.602206200Z" />
<EventRecordID>124745</EventRecordID>
<Correlation />
<Execution ProcessID="1004" ThreadID="7792" />
<Channel>Security</Channel>
<Computer>XXXXXXXX.sdsd.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-1659004503-179605362-725345543-5237</SubjectUserSid>
<SubjectUserName>myuser</SubjectUserName>
<SubjectDomainName>SDSD</SubjectDomainName>
<SubjectLogonId>0xa5c77</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>

How could we get this information through the json format ? do we have to develop something for specificxml view and if yes how can we do that ?

Please let me know.

Kind regards,

Permalink

#2 adm Nxlog ✓ 8 years ago

#1 system0845

Hi, We have the following configuration for event id 1102 (eventlog cleared): <Input clearev> Module im_msvistalog Query <QueryList>\ <Query Id="3">\ <Select Path="Security">*[System[(EventID=1102)]]</Select>\ </Query>\ </QueryList> Exec delete($Message); Exec $Message = to_json(); Exec $SyslogFacilityValue = 17; $SyslogSeverityValue=6; </Input> The received message is like that: Feb 29 10:37:17 XXXXXXXX.sdsd.local Microsoft-Windows-Eventlog[1004]: {"EventTime":"2016-02-29 10:37:17","Hostname":"XXXXXXXX.sdsd.local","Keywords":4620693217682128896,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1102,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"Task":104,"OpcodeValue":0,"RecordNumber":124745,"ProcessID":1004,"ThreadID":7792,"Channel":"Security","Category":"Effacement de journal","Opcode":"Informations","EventReceivedTime":"2016-02-29 10:37:18","SourceModuleName":"clearev","SourceModuleType":"im_msvistalog"} As you can see the SubjectUserName information is missing. But if we look at the detailed view in the eventviewer we can find the information in the XML data: ~~ <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" /> <EventID>1102</EventID> <Version>0</Version> <Level>4</Level> <Task>104</Task> <Opcode>0</Opcode> <Keywords>0x4020000000000000</Keywords> <TimeCreated SystemTime="2016-02-29T09:37:17.602206200Z" /> <EventRecordID>124745</EventRecordID> <Correlation /> <Execution ProcessID="1004" ThreadID="7792" /> <Channel>Security</Channel> <Computer>XXXXXXXX.sdsd.local</Computer> <Security /> </System> - <UserData> - <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"> <SubjectUserSid>S-1-5-21-1659004503-179605362-725345543-5237</SubjectUserSid> <SubjectUserName>myuser</SubjectUserName> <SubjectDomainName>SDSD</SubjectDomainName> <SubjectLogonId>0xa5c77</SubjectLogonId> </LogFileCleared> </UserData> </Event> How could we get this information through the json format ? do we have to develop something for specificxml view and if yes how can we do that ? Please let me know. Kind regards,

The Security log normally has the following XML which can be properly parsed:

<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
</EventData>

Looks like EventID 1102 has this under UserData a bit differently and the field name is the XML tag instead of inside the Name attribute, that's why it's not getting parsed.

The following could be a solution.

The NXLog EE puts UserData XML into the $UserData field. You can then do parse_xml($UserData);