Change AccountName field
Dear NXlog community,
I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events. All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field.
For example kibana is reporting:
AccountName SYSTEM
AccountType User
Category Account Logon
CategoryNumber 9
Domain NT AUTHORITY
EventID 675
EventType AUDIT_FAILURE
FileName Security
Hostname SomeHostName
Severity ERROR
SeverityValue 4
SourceModuleName eventlog
SourceModuleType im_mseventlog
SourceName Security
host SomeHostName.SomeDomain
message Pre-authentication failed:
User Name: [username]
User ID: %{some user id}
Service Name: krbtgt/office Pre-Authentication
Type: 0x0 Failure Code: 0x19
Client Address: [ip address]
Any help is appreciated!
Windows 2003 uses the older eventlog API and there are only the standard eventlog fields available, on Windows Vista and later you get more fields from the security logs (i.e. TargetUsername, SubjectUserName). The value of TargetUserName one is only available in the Message field on w2k3 so you will need to extract it with a regexp.
You can add the following to your nxlog.conf to extract :
Exec if ($EventID == 675) and ($Message =~ /User Name: (\S+)/) { $TargetUserName = $1; }
The other option is to use pm_pattern. This is recommended if you need to use a lot of extraction and classification rules.
