Let's Talk
Let's Talk

How to extract data from unnamed EventData Data fields of Event

Tags:
#1 DH

Hy!

Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e84...-3605-4e8c-...-1e730c959516}" EventSourceName="NTDS General" /> 
  <EventID Qualifiers="16384">2889</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>16</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2020-02-18T13:27:25.716041000Z" /> 
  <EventRecordID>242410</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="436" ThreadID="1108" /> 
  <Channel>Directory Service</Channel> 
  <Computer>PC1.DOMAINXY.local</Computer> 
  <Security UserID="S-1-5-7-..." /> 
  </System>
- <EventData>
  <Data>172.172.172.172:33426</Data> 
  <Data>DOMAINXY\USERXY</Data> 
  <Data>0</Data> 
  </EventData>
  </Event>

Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three <Data> fields into $raw_event with a special text,like:

define EventID_2889_REGEX /(?x) \
    <Data>(?<IP>(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$))<\/Data> \
    <Data>(?<USER>([\w\d]+))<\/Data> \
    <Data>(?<BINDTYPE>(\d+))<\/Data>/
<Input eventlog2889>
Module im_msvistalog
Query <QueryList>\
 <Query Id="0" Path="Directory Service">\
  <Select Path="Directory Service">*[System[(EventID=2889)]]</Select>\
 </Query>\
</QueryList>
Exec $EventData =~ %EventID_2889_REGEX%;
Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]";
Exec $SyslogFacilityValue = 21;
Exec $SyslogFacility = "LOCAL5";
Exec $ProcessID = $SubjectUserName;
Exec $SourceName = "2889";
Exec parse_syslog_ietf();
Exec to_syslog_ietf();
</Input>

I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured?

Thanks in advance!

Permalink
#2 MisazivDeactivated Nxlog ✓
#1 DH
Hy! Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests. - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e84...-3605-4e8c-...-1e730c959516}" EventSourceName="NTDS General" /> <EventID Qualifiers="16384">2889</EventID> <Version>0</Version> <Level>4</Level> <Task>16</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2020-02-18T13:27:25.716041000Z" /> <EventRecordID>242410</EventRecordID> <Correlation /> <Execution ProcessID="436" ThreadID="1108" /> <Channel>Directory Service</Channel> <Computer>PC1.DOMAINXY.local</Computer> <Security UserID="S-1-5-7-..." /> </System> - <EventData> <Data>172.172.172.172:33426</Data> <Data>DOMAINXY\USERXY</Data> <Data>0</Data> </EventData> </Event> Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three <Data> fields into $raw_event with a special text,like: define EventID_2889_REGEX /(?x) \ <Data>(?<IP>(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$))<\/Data> \ <Data>(?<USER>([\w\d]+))<\/Data> \ <Data>(?<BINDTYPE>(\d+))<\/Data>/ <Input eventlog2889> Module im_msvistalog Query <QueryList>\ <Query Id="0" Path="Directory Service">\ <Select Path="Directory Service">*[System[(EventID=2889)]]</Select>\ </Query>\ </QueryList> Exec $EventData =~ %EventID_2889_REGEX%; Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]"; Exec $SyslogFacilityValue = 21; Exec $SyslogFacility = "LOCAL5"; Exec $ProcessID = $SubjectUserName; Exec $SourceName = "2889"; Exec parse_syslog_ietf(); Exec to_syslog_ietf(); </Input> I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured? Thanks in advance!

As mentioned in this thread: https://nxlog.co/question/4158/windows-eventdata-not-captured , you would need NXLog EE to do this.

~MisaZ
Login to see more