Windows EventData not captured

View thread

traz

Hi,

I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored.

This is one my Windows events:

  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
  <Provider Name="AD FS Auditing" /> 
  <EventID Qualifiers="0">411</EventID> 
  <Level>0</Level> 
  <Task>3</Task> 
  <Keywords>0x8090000000000000</Keywords> 
  <TimeCreated SystemTime="2018-11-06T09:22:29.086191400Z" /> 
  <EventRecordID>85712874</EventRecordID> 
  <Channel>Security</Channel> 
  <Computer>server1</Computer> 
  <Security UserID="S-8-8-88-8888-8888-8888-8888" /> 
  </System>
  <EventData>
  <Data>00000000-0000-0000-0000-000000000000</Data> 
  <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data> 
  <Data>user1@domain.com</Data> 
  <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Data> 
  <Data>8.8.8.8</Data> 
  </EventData>
  <RenderingInfo Culture="en-US">
  <Message>Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Message> 
  <Level>Information</Level> 
  <Task /> 
  <Opcode>Info</Opcode> 
  <Channel /> 
  <Provider /> 
  <Keywords><Keyword>Audit Failure</Keyword><Keyword>Classic</Keyword> 
  </Keywords>
  </RenderingInfo>
  </Event>

As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message:

{"EventTime":"2018-11-06 09:22:29"
,"Hostname":"server1"
,"Keywords":-9182839640208441344
,"EventType":"AUDIT_FAILURE"
,"SeverityValue":4
,"Severity":"ERROR"
,"EventID":411
,"SourceName":"AD FS Auditing"
,"Task":3
,"RecordNumber":85712874
,"ProcessID":0
,"ThreadID":0
,"Channel":"Security"
,"Domain":"domain.com"
,"AccountName":"service1"
,"AccountType":"User"
,"EventReceivedTime":"2018-11-06 09:22:31"
,"SourceModuleName":"eventlog"
,"SourceModuleType":"im_msvistalog"
}

This is my nxlog config:

<Input eventlog>
    Module im_msvistalog
    Channel ForwardedEvents
    Exec $Message = to_json();
</Input>
<Output graylog>
    Module      om_tcp
    Host        graylog.server.com
    Port        1111
    OutputType  GELF_TCP
</Output>
<Route 1>
    Path eventlog => graylog
</Route>

According to the docs, Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow?

I'm running nxlog CE 2.9. Thanks