6
responses

Hi, I recently started using Nxlog with Windows event log.

I'm able to get events off of the Security log and onto my server, however, I've noticed something peculiar.

The value of the 'ProcessID' field is always 4, no matter what process is generating the event.

My nxlog.conf has the following sections:

<Extension json>
    Module      xm_json
</Extension>

<Input security_log>
    Module      im_msvistalog
    SavePos     TRUE
    ReadFromLast    TRUE
    Channel     Security
    Query       *
</Input>

<Output out>
    Module      om_tcp
    Host        10.1.11.50
    Port        9000
    Exec        to_json();
</Output>

<Route 1>
    Path        security_log => out
</Route>

And the resulting output looks like:

{
"EventTime":"2016-01-18 10:32:13",
"Hostname":"dev-collector.dev.local",
"Keywords":-9214364837600034816,
"EventType":"AUDIT_SUCCESS",
"SeverityValue":2,
"Severity":"INFO",
"EventID":4689,
"SourceName":"Microsoft-Windows-Security-Auditing",
"ProviderGuid":"{54849625-5478-4994-A5BA-3E3B0328C30D}",
"Version":0,
"Task":13313,
"OpcodeValue":0,
"RecordNumber":355,
"ProcessID":4,
"ThreadID":48,
"Channel":"Security",
"Message":"A process has exited.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3503561835-834928460-339998367-1000\r\n\tAccount Name:\t\tachung\r\n\tAccount Domain:\t\tDEV-COLLECTOR\r\n\tLogon ID:\t\t0x727518c\r\n\r\nProcess Information:\r\n\tProcess ID:\t0xb64\r\n\tProcess Name:\tC:\\Windows\\System32\\calc.exe\r\n\tExit Status:\t0x0",
"Category":"Process Termination",
"Opcode":"Info",
"SubjectUserSid":"S-1-5-21-3503561835-834928460-339998367-1000",
"SubjectUserName":"achung",
"SubjectDomainName":"DEV-COLLECTOR",
"SubjectLogonId":"0x727518c",
"Status":"0x0",
"ProcessName":"C:\\Windows\\System32\\calc.exe",
"EventReceivedTime":"2016-01-18 10:32:14",
"SourceModuleName":"security_log",
"SourceModuleType":"im_msvistalog"
}

The value of the "ProcessID" field is 4, when it should be 2916 (0xb64), as shown in the "Message" field. Is this a configuration issue or possibly a bug with one of the modules?

Thanks,

Allen

AskedJanuary 18, 2016 - 6:03pm

Answer (1)

This is caused by the security log adding a ProcessID field under EventData also. There is a ProcessID for all eventlog records but not all have it under EventData. Check the XML view of such an event in event viewer, you will see that it shows Execution Process ID under System, and a ProcessID data element under EventData. Unfortunately this is causing a name collision in NXLog and you only get to see the second in $Message.

Comments (5)

  • achung21's picture

    Thank you for your reply. Would it be possible to distinguish the two and have both as a field?

    Perhaps edit nxlog.conf to something like:

    <Input security_log>
        Module      im_msvistalog
        ...
        Exec        $ExecutionProcessID = $ProcessID
        Exec        $ProcessID = ____

  • pscookiemonster's picture

    Good to hear this is being worked on!

    In terms of implementation, guessing you already have this in mind, but it might be worth considering:

    • Other properties can suffer the same fate
    • Other nested fields may result in similar behavior.  For example, AppLocker events include fields under Event.UserData.RuleAndFileData

    ​Cheers!

  • b0ti's picture
    (NXLog)

    The NXLog EE beta now sets the field `ExecutionProcessID` in order to avoid the conflict. There is also an additional configuration option `AddPrefix` so that fields under `EventData` are collected as `EventData.ProcessID`.