Let's Talk
Let's Talk

How to extract data from unnamed EventData Data fields of Event

Tags:
#1 DH
Hy! Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests. ``` - - 2889 0 4 16 0 0x8080000000000000 242410 Directory Service PC1.DOMAINXY.local - 172.172.172.172:33426 DOMAINXY\USERXY 0 ``` Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three fields into $raw_event with a special text,like: ``` define EventID_2889_REGEX /(?x) \ (?(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)) \ (?([\w\d]+)) \ (?(\d+))/ Module im_msvistalog Query \ \ *[System[(EventID=2889)]]\ \ Exec $EventData =~ %EventID_2889_REGEX%; Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]"; Exec $SyslogFacilityValue = 21; Exec $SyslogFacility = "LOCAL5"; Exec $ProcessID = $SubjectUserName; Exec $SourceName = "2889"; Exec parse_syslog_ietf(); Exec to_syslog_ietf(); ``` I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured? Thanks in advance!
Permalink
#2 MisazivDeactivated Nxlog ✓
#1 DH
Hy! Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests. - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e84...-3605-4e8c-...-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="16384">2889</EventID> <Version>0</Version> <Level>4</Level> <Task>16</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-02-18T13:27:25.716041000Z" /> <EventRecordID>242410</EventRecordID> <Correlation /> <Execution ProcessID="436" ThreadID="1108" /> <Channel>Directory Service</Channel> <Computer>PC1.DOMAINXY.local</Computer> <Security UserID="S-1-5-7-..." /> </System> - <EventData> <Data>172.172.172.172:33426</Data> <Data>DOMAINXY\USERXY</Data> <Data>0</Data> </EventData> </Event> Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three <Data> fields into $raw_event with a special text,like: define EventID_2889_REGEX /(?x) \ <Data>(?<IP>(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$))<\/Data> \ <Data>(?<USER>([\w\d]+))<\/Data> \ <Data>(?<BINDTYPE>(\d+))<\/Data>/ <Input eventlog2889> Module im_msvistalog Query <QueryList>\ <Query Id="0" Path="Directory Service">\ <Select Path="Directory Service">*[System[(EventID=2889)]]</Select>\ </Query>\ </QueryList> Exec $EventData =~ %EventID_2889_REGEX%; Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]"; Exec $SyslogFacilityValue = 21; Exec $SyslogFacility = "LOCAL5"; Exec $ProcessID = $SubjectUserName; Exec $SourceName = "2889"; Exec parse_syslog_ietf(); Exec to_syslog_ietf(); </Input> I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured? Thanks in advance!

As mentioned in this thread: https://nxlog.co/question/4158/windows-eventdata-not-captured , you would need NXLog EE to do this.

~MisaZ
Login to see more