1
answer

Hi,

We have the following configuration for event id 1102 (eventlog cleared):

<Input clearev>
    Module      im_msvistalog
 Query   <QueryList>\
    <Query Id="3">\
     <Select Path="Security">*[System[(EventID=1102)]]</Select>\
           </Query>\
           </QueryList>
 Exec delete($Message);
 Exec $Message = to_json();
 Exec $SyslogFacilityValue = 17; $SyslogSeverityValue=6;
</Input>

The received message is like that:

Feb 29 10:37:17 XXXXXXXX.sdsd.local Microsoft-Windows-Eventlog[1004]: {"EventTime":"2016-02-29 10:37:17","Hostname":"XXXXXXXX.sdsd.local","Keywords":4620693217682128896,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1102,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"Task":104,"OpcodeValue":0,"RecordNumber":124745,"ProcessID":1004,"ThreadID":7792,"Channel":"Security","Category":"Effacement de journal","Opcode":"Informations","EventReceivedTime":"2016-02-29 10:37:18","SourceModuleName":"clearev","SourceModuleType":"im_msvistalog"}

As you can see the SubjectUserName information is missing.

But if we look at the detailed view in the eventviewer we can find the information in the XML data:

~~  <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
  <EventID>1102</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>104</Task>
  <Opcode>0</Opcode>
  <Keywords>0x4020000000000000</Keywords>
  <TimeCreated SystemTime="2016-02-29T09:37:17.602206200Z" />
  <EventRecordID>124745</EventRecordID>
  <Correlation />
  <Execution ProcessID="1004" ThreadID="7792" />
  <Channel>Security</Channel>
  <Computer>XXXXXXXX.sdsd.local</Computer>
  <Security />
  </System>
- <UserData>
- <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
  <SubjectUserSid>S-1-5-21-1659004503-179605362-725345543-5237</SubjectUserSid>
  <SubjectUserName>myuser</SubjectUserName>
  <SubjectDomainName>SDSD</SubjectDomainName>
  <SubjectLogonId>0xa5c77</SubjectLogonId>
  </LogFileCleared>
  </UserData>
  </Event>

 

How could we get this information through the json format ? do we have to develop something for specificxml view and if yes how can we do that ?

 

Please let me know.

 

Kind regards,
 

 

 

AskedFebruary 29, 2016 - 10:45am

Answer (1)

The Security log normally has the following XML which can be properly parsed:

<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
</EventData>

Looks like EventID 1102 has this under UserData a bit differently and the field name is the XML tag instead of inside the Name attribute, that's why it's not getting parsed.

The following could be a solution.

The NXLog EE puts UserData XML into the $UserData field. You can then do parse_xml($UserData);