Let's Talk
Let's Talk

How to extract data from unnamed EventData Data fields of Event

View thread
DH

Hy!

Sometimes one has to analyze Microsoft events containing EventData fields including Data fields without name, or let's say unnamed Data fields, e.g. EventID 2889 - unsigned LDAP requests.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e84...-3605-4e8c-...-1e730c959516}" EventSourceName="NTDS General" /> 
  <EventID Qualifiers="16384">2889</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>16</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8080000000000000</Keywords> 
  <TimeCreated SystemTime="2020-02-18T13:27:25.716041000Z" /> 
  <EventRecordID>242410</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="436" ThreadID="1108" /> 
  <Channel>Directory Service</Channel> 
  <Computer>PC1.DOMAINXY.local</Computer> 
  <Security UserID="S-1-5-7-..." /> 
  </System>
- <EventData>
  <Data>172.172.172.172:33426</Data> 
  <Data>DOMAINXY\USERXY</Data> 
  <Data>0</Data> 
  </EventData>
  </Event>

Simply sending this to syslog works like charm. But in this case I woul like to get the values from all three <Data> fields into $raw_event with a special text,like:

define EventID_2889_REGEX /(?x) \
    <Data>(?<IP>(^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$))<\/Data> \
    <Data>(?<USER>([\w\d]+))<\/Data> \
    <Data>(?<BINDTYPE>(\d+))<\/Data>/
<Input eventlog2889>
Module im_msvistalog
Query <QueryList>\
 <Query Id="0" Path="Directory Service">\
  <Select Path="Directory Service">*[System[(EventID=2889)]]</Select>\
 </Query>\
</QueryList>
Exec $EventData =~ %EventID_2889_REGEX%;
Exec $raw_event = "Unsigned or simple non TLS LDAP bind request: [" + $EventData + "]";
Exec $SyslogFacilityValue = 21;
Exec $SyslogFacility = "LOCAL5";
Exec $ProcessID = $SubjectUserName;
Exec $SourceName = "2889";
Exec parse_syslog_ietf();
Exec to_syslog_ietf();
</Input>

I tried a lot, read the NXLog CE documentation hints, googled for days now...to list it all up here would explode the forum ;-) Could you please give me some hints how to process these values? Maybe this is not even possible in NXLog CE, see https://nxlog.co/question/4158/windows-eventdata-not-captured?

Thanks in advance!