PatternDB not working as expected. Config errors?
Tags:
patterndb
#1
jaredtully
Hi there,
I'm having a little trouble trying to filter events with patterndb.xml
I'm sending logs to our SIEM but despite the corresponding event ID's missing from patterndb they are still getting pushed.
I think my configuration setup is over ruling the patterndb config.
Can you please review?
Thanks for your time.
#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#
# Version: 0.1.0
# Last modification: 2019-07-03
#
define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS x.x..x.xx
define OUTPUT_DESTINATION_PORT 12346789
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>
<Output out>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
############################################################################
#### NXLOG WITH PATTERNDB #####
#### Uncomment the following lines for Windows Events filtered #####
############################################################################
<Input internal_Pattern>
Module im_internal
</Input>
<Input eventlog_Pattern>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Processor match_events>
Module pm_pattern
PatternFile %ROOT%\conf\patterndb.xml
</Processor>
<Output out_Pattern>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec if not defined $PatternID or not defined $Message { drop(); }
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route route_Pattern>
Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern
</Route>
############################################################################
##### /NXLOG WITH PATTERNDB #####
############################################################################
#1
jaredtully
Hi there,
I'm having a little trouble trying to filter events with patterndb.xml
I'm sending logs to our SIEM but despite the corresponding event ID's missing from patterndb they are still getting pushed.
I think my configuration setup is over ruling the patterndb config.
Can you please review?
Thanks for your time.
#
# Configuration for converting and sending Windows logs
# to AlienVault USM Anywhere.
#
# Version: 0.1.0
# Last modification: 2019-07-03
#
define ROOT C:\Program Files (x86)\nxlog
define OUTPUT_DESTINATION_ADDRESS x.x..x.xx
define OUTPUT_DESTINATION_PORT 12346789
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
Exec if ($EventID == 5156) OR ($EventID == 5158) drop();
</Input>
<Output out>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route 1>
Path eventlog, internal => out
</Route>
############################################################################
#### NXLOG WITH PATTERNDB #####
#### Uncomment the following lines for Windows Events filtered #####
############################################################################
<Input internal_Pattern>
Module im_internal
</Input>
<Input eventlog_Pattern>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
</Input>
<Processor match_events>
Module pm_pattern
PatternFile %ROOT%\conf\patterndb.xml
</Processor>
<Output out_Pattern>
Module om_udp
Host %OUTPUT_DESTINATION_ADDRESS%
Port %OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000000;
Exec if not defined $PatternID or not defined $Message { drop(); }
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Route route_Pattern>
Path eventlog_Pattern, internal_Pattern => match_events => out_Pattern
</Route>
############################################################################
##### /NXLOG WITH PATTERNDB #####
############################################################################
Hello Jared,
I think I have some thoughts how to fix this one.
Could you try to comment out check for defined $Message so it would look like this:
Exec if not defined $PatternID drop();
Please let us know if this info was helpful for you.
Best regards, Arch
