How to extract data from unnamed EventData Data fields of Event
DH
Hy!
Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests.
```
-
-
2889
0
4
16
0
0x8080000000000000
242410
Directory Service
PC1.DOMAINXY.local
-
172.172.172.172:33426
DOMAINXY\USERXY
0
```
Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three fields into $raw_event with a special text,like:
```
define EventID_2889_REGEX /(?x) \
(?(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)) \
(?([\w\d]+)) \
(?(\d+))/
Module im_msvistalog
Query \
\
*[System[(EventID=2889)]]\
\
Exec $EventData =~ %EventID_2889_REGEX%;
Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]";
Exec $SyslogFacilityValue = 21;
Exec $SyslogFacility = "LOCAL5";
Exec $ProcessID = $SubjectUserName;
Exec $SourceName = "2889";
Exec parse_syslog_ietf();
Exec to_syslog_ietf();
```
I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured?
Thanks in advance!