ProcessID is always 4 | Log collection solutions

#1 achung21 9 years ago

Hi, I recently started using Nxlog with Windows event log.

I'm able to get events off of the Security log and onto my server, however, I've noticed something peculiar.

The value of the 'ProcessID' field is always 4, no matter what process is generating the event.

My nxlog.conf has the following sections:

<Extension json>
    Module      xm_json
</Extension>
<Input security_log>
Module      im_msvistalog
SavePos     TRUE
ReadFromLast    TRUE
Channel     Security
Query       *
</Input>
<Output out>
Module      om_tcp
Host        10.1.11.50
Port        9000
Exec        to_json();
</Output>
<Route 1>
Path        security_log => out
</Route>

And the resulting output looks like:

{
"EventTime":"2016-01-18 10:32:13",
"Hostname":"dev-collector.dev.local",
"Keywords":-9214364837600034816,
"EventType":"AUDIT_SUCCESS",
"SeverityValue":2,
"Severity":"INFO",
"EventID":4689,
"SourceName":"Microsoft-Windows-Security-Auditing",
"ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"Version":0,
"Task":13313,
"OpcodeValue":0,
"RecordNumber":355,
"ProcessID":4,
"ThreadID":48,
"Channel":"Security",
"Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3503561835-834928460-339998367-1000\r\n\tAccount Name:\t\tachung\r\n\tAccount Domain:\t\tDEV-COLLECTOR\r\n\tLogon ID:\t\t0x727518c\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xb64\r\n\tProcess Name:\tC:\\Windows\\System32\\calc.exe\r\n\tExit Status:\t0x0",
"Category":"Process Termination",
"Opcode":"Info",
"SubjectUserSid":"S-1-5-21-3503561835-834928460-339998367-1000",
"SubjectUserName":"achung",
"SubjectDomainName":"DEV-COLLECTOR",
"SubjectLogonId":"0x727518c",
"Status":"0x0",
"ProcessName":"C:\\Windows\\System32\\calc.exe",
"EventReceivedTime":"2016-01-18 10:32:14",
"SourceModuleName":"security_log",
"SourceModuleType":"im_msvistalog"
}

The value of the "ProcessID" field is 4, when it should be 2916 (0xb64), as shown in the "Message" field. Is this a configuration issue or possibly a bug with one of the modules?

Thanks,

Allen

Permalink

#2 admDeactivated Nxlog ✓ 9 years ago

#1 achung21

Hi, I recently started using Nxlog with Windows event log. I'm able to get events off of the Security log and onto my server, however, I've noticed something peculiar. The value of the 'ProcessID' field is always 4, no matter what process is generating the event. My nxlog.conf has the following sections: <Extension json> Module xm_json </Extension> <Input security_log> Module im_msvistalog SavePos TRUE ReadFromLast TRUE Channel Security Query * </Input> <Output out> Module om_tcp Host 10.1.11.50 Port 9000 Exec to_json(); </Output> <Route 1> Path security_log => out </Route> And the resulting output looks like: { "EventTime":"2016-01-18 10:32:13", "Hostname":"dev-collector.dev.local", "Keywords":-9214364837600034816, "EventType":"AUDIT_SUCCESS", "SeverityValue":2, "Severity":"INFO", "EventID":4689, "SourceName":"Microsoft-Windows-Security-Auditing", "ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version":0, "Task":13313, "OpcodeValue":0, "RecordNumber":355, "ProcessID":4, "ThreadID":48, "Channel":"Security", "Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3503561835-834928460-339998367-1000\r\n\tAccount Name:\t\tachung\r\n\tAccount Domain:\t\tDEV-COLLECTOR\r\n\tLogon ID:\t\t0x727518c\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xb64\r\n\tProcess Name:\tC:\\Windows\\System32\\calc.exe\r\n\tExit Status:\t0x0", "Category":"Process Termination", "Opcode":"Info", "SubjectUserSid":"S-1-5-21-3503561835-834928460-339998367-1000", "SubjectUserName":"achung", "SubjectDomainName":"DEV-COLLECTOR", "SubjectLogonId":"0x727518c", "Status":"0x0", "ProcessName":"C:\\Windows\\System32\\calc.exe", "EventReceivedTime":"2016-01-18 10:32:14", "SourceModuleName":"security_log", "SourceModuleType":"im_msvistalog" } The value of the "ProcessID" field is 4, when it should be 2916 (0xb64), as shown in the "Message" field. Is this a configuration issue or possibly a bug with one of the modules? Thanks, Allen

This is caused by the security log adding a ProcessID field under EventData also. There is a ProcessID for all eventlog records but not all have it under EventData. Check the XML view of such an event in event viewer, you will see that it shows Execution Process ID under System, and a ProcessID data element under EventData. Unfortunately this is causing a name collision in NXLog and you only get to see the second in $Message.