1
response

Hi,

We have the following configuration for event id 1102 (eventlog cleared):

<Input clearev>

    Module      im_msvistalog

 Query   <QueryList>\

    <Query Id="3">\

     <Select Path="Security">*[System[(EventID=1102)]]</Select>\

           </Query>\

           </QueryList>

 Exec delete($Message);

 Exec $Message = to_json();

 Exec $SyslogFacilityValue = 17; $SyslogSeverityValue=6;

</Input>

The received message is like that:

Feb 29 10:37:17 XXXXXXXX.sdsd.local Microsoft-Windows-Eventlog[1004]: {"EventTime":"2016-02-29 10:37:17","Hostname":"XXXXXXXX.sdsd.local","Keywords":4620693217682128896,"EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1102,"SourceName":"Microsoft-Windows-Eventlog","ProviderGuid":"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}","Version":0,"Task":104,"OpcodeValue":0,"RecordNumber":124745,"ProcessID":1004,"ThreadID":7792,"Channel":"Security","Category":"Effacement de journal","Opcode":"Informations","EventReceivedTime":"2016-02-29 10:37:18","SourceModuleName":"clearev","SourceModuleType":"im_msvistalog"}

As you can see the SubjectUserName information is missing.

But if we look at the detailed view in the eventviewer we can find the information in the XML data:

~~  <Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />

  <EventID>1102</EventID>

  <Version>0</Version>

  <Level>4</Level>

  <Task>104</Task>

  <Opcode>0</Opcode>

  <Keywords>0x4020000000000000</Keywords>

  <TimeCreated SystemTime="2016-02-29T09:37:17.602206200Z" />

  <EventRecordID>124745</EventRecordID>

  <Correlation />

  <Execution ProcessID="1004" ThreadID="7792" />

  <Channel>Security</Channel>

  <Computer>XXXXXXXX.sdsd.local</Computer>

  <Security />

  </System>

- <UserData>

- <LogFileCleared xmlns:auto-ns3="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">

  <SubjectUserSid>S-1-5-21-1659004503-179605362-725345543-5237</SubjectUserSid>

  <SubjectUserName>myuser</SubjectUserName>

  <SubjectDomainName>SDSD</SubjectDomainName>

  <SubjectLogonId>0xa5c77</SubjectLogonId>

  </LogFileCleared>

  </UserData>

  </Event>

 

How could we get this information through the json format ? do we have to develop something for specificxml view and if yes how can we do that ?

 

Please let me know.

 

Kind regards,

 

 

 

AskedFebruary 29, 2016 - 10:45am

Answer (1)

The Security log normally has the following XML which can be properly parsed:

<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data>
  <Data Name="SubjectDomainName">WORKGROUP</Data>
  <Data Name="SubjectLogonId">0x3e7</Data>
</EventData>

Looks like EventID 1102 has this under UserData a bit differently and the field name is the XML tag instead of inside the Name attribute, that's why it's not getting parsed.

The following could be a solution.

The NXLog EE puts UserData XML into the $UserData field. You can then do parse_xml($UserData);