Windows EventData not captured

Tags: windows

#1 traz 5 years ago

Hi,

I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored.

This is one my Windows events:

  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="AD FS Auditing" /> 
  <EventID Qualifiers="0">411</EventID> 
  <Level>0</Level> 
  <Task>3</Task> 
  <Keywords>0x8090000000000000</Keywords> 
  <TimeCreated SystemTime="2018-11-06T09:22:29.086191400Z" /> 
  <EventRecordID>85712874</EventRecordID> 
  <Channel>Security</Channel> 
  <Computer>server1</Computer> 
  <Security UserID="S-8-8-88-8888-8888-8888-8888" /> 
  </System>
  <EventData>
  <Data>00000000-0000-0000-0000-000000000000</Data> 
  <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data> 
  <Data>user1@domain.com</Data> 
  <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Data> 
  <Data>8.8.8.8</Data> 
  </EventData>
  <RenderingInfo Culture="en-US">
  <Message>Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Message> 
  <Level>Information</Level> 
  <Task /> 
  <Opcode>Info</Opcode> 
  <Channel /> 
  <Provider /> 
  <Keywords><Keyword>Audit Failure</Keyword><Keyword>Classic</Keyword> 
  </Keywords>
  </RenderingInfo>
  </Event>

As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message:

{"EventTime":"2018-11-06 09:22:29"
,"Hostname":"server1"
,"Keywords":-9182839640208441344
,"EventType":"AUDIT_FAILURE"
,"SeverityValue":4
,"Severity":"ERROR"
,"EventID":411
,"SourceName":"AD FS Auditing"
,"Task":3
,"RecordNumber":85712874
,"ProcessID":0
,"ThreadID":0
,"Channel":"Security"
,"Domain":"domain.com"
,"AccountName":"service1"
,"AccountType":"User"
,"EventReceivedTime":"2018-11-06 09:22:31"
,"SourceModuleName":"eventlog"
,"SourceModuleType":"im_msvistalog"
}

This is my nxlog config:

<Input eventlog>
    Module im_msvistalog
    Channel ForwardedEvents
    Exec $Message = to_json();
</Input>
<Output graylog>
    Module      om_tcp
    Host        graylog.server.com
    Port        1111
    OutputType  GELF_TCP
</Output>
<Route 1>
    Path eventlog => graylog
</Route>

According to the docs, Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow?

I'm running nxlog CE 2.9. Thanks

Permalink

#2 b0ti Nxlog ✓ 5 years ago

#1 traz

Hi, I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored. This is one my Windows events: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD FS Auditing" /> <EventID Qualifiers="0">411</EventID> <Level>0</Level> <Task>3</Task> <Keywords>0x8090000000000000</Keywords> <TimeCreated SystemTime="2018-11-06T09:22:29.086191400Z" /> <EventRecordID>85712874</EventRecordID> <Channel>Security</Channel> <Computer>server1</Computer> <Security UserID="S-8-8-88-8888-8888-8888-8888" /> </System> <EventData> <Data>00000000-0000-0000-0000-000000000000</Data> <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data> <Data>user1@domain.com</Data> <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Data> <Data>8.8.8.8</Data> </EventData> <RenderingInfo Culture="en-US"> <Message>Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Message> <Level>Information</Level> <Task /> <Opcode>Info</Opcode> <Channel /> <Provider /> <Keywords><Keyword>Audit Failure</Keyword><Keyword>Classic</Keyword> </Keywords> </RenderingInfo> </Event> As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message: {"EventTime":"2018-11-06 09:22:29" ,"Hostname":"server1" ,"Keywords":-9182839640208441344 ,"EventType":"AUDIT_FAILURE" ,"SeverityValue":4 ,"Severity":"ERROR" ,"EventID":411 ,"SourceName":"AD FS Auditing" ,"Task":3 ,"RecordNumber":85712874 ,"ProcessID":0 ,"ThreadID":0 ,"Channel":"Security" ,"Domain":"domain.com" ,"AccountName":"service1" ,"AccountType":"User" ,"EventReceivedTime":"2018-11-06 09:22:31" ,"SourceModuleName":"eventlog" ,"SourceModuleType":"im_msvistalog" } This is my nxlog config: <Input eventlog> Module im_msvistalog Channel ForwardedEvents Exec $Message = to_json(); </Input> <Output graylog> Module om_tcp Host graylog.server.com Port 1111 OutputType GELF_TCP </Output> <Route 1> Path eventlog => graylog </Route> According to the docs, Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow? I'm running nxlog CE 2.9. Thanks

The NXLog EE captures this in $EventData when the fields are not named and you can then use that to further extract data from it. AFAIK the NXLog CE does not do this yet.