How to extract data from unnamed EventData Data fields of Event
Tags:
#1
DH
Hy!
Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests.
```
-
-
2889
0
4
16
0
0x8080000000000000
242410
Directory Service
PC1.DOMAINXY.local
-
172.172.172.172:33426
DOMAINXY\USERXY
0
```
Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three fields into $raw_event with a special text,like:
```
define EventID_2889_REGEX /(?x) \
(?(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)) \
(?([\w\d]+)) \
(?(\d+))/
Module im_msvistalog
Query \
\
*[System[(EventID=2889)]]\
\
Exec $EventData =~ %EventID_2889_REGEX%;
Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]";
Exec $SyslogFacilityValue = 21;
Exec $SyslogFacility = "LOCAL5";
Exec $ProcessID = $SubjectUserName;
Exec $SourceName = "2889";
Exec parse_syslog_ietf();
Exec to_syslog_ietf();
```
I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured?
Thanks in advance!
#1
DH
Hy!
Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e84...-3605-4e8c-...-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="16384">2889</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-02-18T13:27:25.716041000Z" />
<EventRecordID>242410</EventRecordID>
<Correlation />
<Execution ProcessID="436" ThreadID="1108" />
<Channel>Directory Service</Channel>
<Computer>PC1.DOMAINXY.local</Computer>
<Security UserID="S-1-5-7-..." />
</System>
- <EventData>
<Data>172.172.172.172:33426</Data>
<Data>DOMAINXY\USERXY</Data>
<Data>0</Data>
</EventData>
</Event>
Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three <Data> fields into $raw_event with a special text,like:
define EventID_2889_REGEX /(?x) \
<Data>(?<IP>(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$))<\/Data> \
<Data>(?<USER>([\w\d]+))<\/Data> \
<Data>(?<BINDTYPE>(\d+))<\/Data>/
<Input eventlog2889>
Module im_msvistalog
Query <QueryList>\
<Query Id="0" Path="Directory Service">\
<Select Path="Directory Service">*[System[(EventID=2889)]]</Select>\
</Query>\
</QueryList>
Exec $EventData =~ %EventID_2889_REGEX%;
Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]";
Exec $SyslogFacilityValue = 21;
Exec $SyslogFacility = "LOCAL5";
Exec $ProcessID = $SubjectUserName;
Exec $SourceName = "2889";
Exec parse_syslog_ietf();
Exec to_syslog_ietf();
</Input>
I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured?
Thanks in advance!
As mentioned in this thread: https://nxlog.co/question/4158/windows-eventdata-not-captured , you would need NXLog EE to do this.
~MisaZ