Windows EventData not captured | Log collection solutions

#1 traz 6 years ago

Hi, I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored. This is one my Windows events: 411 0 3 0x8090000000000000 85712874 Security server1 00000000-0000-0000-0000-000000000000 http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName user1@domain.com System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) 8.8.8.8 Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) Information Info Audit FailureClassic As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message: {"EventTime":"2018-11-06 09:22:29" ,"Hostname":"server1" ,"Keywords":-9182839640208441344 ,"EventType":"AUDIT_FAILURE" ,"SeverityValue":4 ,"Severity":"ERROR" ,"EventID":411 ,"SourceName":"AD FS Auditing" ,"Task":3 ,"RecordNumber":85712874 ,"ProcessID":0 ,"ThreadID":0 ,"Channel":"Security" ,"Domain":"domain.com" ,"AccountName":"service1" ,"AccountType":"User" ,"EventReceivedTime":"2018-11-06 09:22:31" ,"SourceModuleName":"eventlog" ,"SourceModuleType":"im_msvistalog" } This is my nxlog config: Module im_msvistalog Channel ForwardedEvents Exec $Message = to_json(); Module om_tcp Host graylog.server.com Port 1111 OutputType GELF_TCP Path eventlog => graylog According to the [docs](https://nxlog.co/docs/nxlog-ce/nxlog-reference-manual.html#im_msvistalog), Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow? I'm running nxlog CE 2.9. Thanks

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 traz

Hi, I'm using the im_msvistalog input to grab events from the Windows security log however the important information is being ignored. This is one my Windows events: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="AD FS Auditing" /> <EventID Qualifiers="0">411</EventID> <Level>0</Level> <Task>3</Task> <Keywords>0x8090000000000000</Keywords> <TimeCreated SystemTime="2018-11-06T09:22:29.086191400Z" /> <EventRecordID>85712874</EventRecordID> <Channel>Security</Channel> <Computer>server1</Computer> <Security UserID="S-8-8-88-8888-8888-8888-8888" /> </System> <EventData> <Data>00000000-0000-0000-0000-000000000000</Data> <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data> <Data>user1@domain.com</Data> <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Data> <Data>8.8.8.8</Data> </EventData> <RenderingInfo Culture="en-US"> <Message>Token validation failed. See inner exception for more details. Additional Data Activity ID: 00000000-0000-0000-0000-000000000000 Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName Client IP: 8.8.8.8 Error message: user1@domain.com Exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: user1@domain.com at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)</Message> <Level>Information</Level> <Task /> <Opcode>Info</Opcode> <Channel /> <Provider /> <Keywords><Keyword>Audit Failure</Keyword><Keyword>Classic</Keyword> </Keywords> </RenderingInfo> </Event> As you can see, the relevant information is between EventData and Message tags. But this information does not appear in the output message: {"EventTime":"2018-11-06 09:22:29" ,"Hostname":"server1" ,"Keywords":-9182839640208441344 ,"EventType":"AUDIT_FAILURE" ,"SeverityValue":4 ,"Severity":"ERROR" ,"EventID":411 ,"SourceName":"AD FS Auditing" ,"Task":3 ,"RecordNumber":85712874 ,"ProcessID":0 ,"ThreadID":0 ,"Channel":"Security" ,"Domain":"domain.com" ,"AccountName":"service1" ,"AccountType":"User" ,"EventReceivedTime":"2018-11-06 09:22:31" ,"SourceModuleName":"eventlog" ,"SourceModuleType":"im_msvistalog" } This is my nxlog config: <Input eventlog> Module im_msvistalog Channel ForwardedEvents Exec $Message = to_json(); </Input> <Output graylog> Module om_tcp Host graylog.server.com Port 1111 OutputType GELF_TCP </Output> <Route 1> Path eventlog => graylog </Route> According to the docs, Data between EvenData tags is automatically extracted if it is named, but it isn't in my case. Can data be extracted manually somehow? I'm running nxlog CE 2.9. Thanks

The NXLog EE captures this in $EventData when the fields are not named and you can then use that to further extract data from it. AFAIK the NXLog CE does not do this yet.