11
responses

Hello,

I'm using NXlog CE 2.10.2102 on a Win 2012 R2 x64 server to collect both the four default Windows logs and the Forwarded Events snd send to a Syslog server as Snare formatted. However, some events only contains their System segment, missing their entire EventData. For example, all of events 1000 and 1001 and all 4624 events with Kerberos login. 4624 with Advapi are passed just fine. I've no idea why is that, every idea would be welcomed.

Here's my configuration:

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
LogLevel INFO

<Extension _syslog>
Module xm_syslog
</Extension>

<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="ForwardedEvents">*</Select>
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
$Message =~ s/(\t|\R)/ /g; to_syslog_snare();
</Exec>
</Input>

<Output out>
Module om_udp
Host 1.2.3.4
</Output>

<Route 66>
Path in => out
</Route>

AskedSeptember 4, 2018 - 1:21pm

Comments (2)

  • AmirG's picture

    OK, I think I've made progress - I now believe the issue lies with Windows and not NXLog. All affected events has at least one percent (%) symbol in values on the EventData section. It could be a simple

    <Data Name="ImpersonationLevel">%%1833</Data>

    or an entire section of values (which can only be seen in the General tab, for some reason):

    Impersonation Level: %21

    New Logon:
    Security ID: %5
    Account Name: %6
    Account Domain: %7
    Logon ID: %8
    Logon GUID: %13

    Process Information:
    Process ID: %17
    Process Name: %18

    Network Information:
    Workstation Name: %12
    Source Network Address: %19
    Source Port: %20

    Detailed Authentication Information:
    Logon Process: %10
    Authentication Package: %11
    Transited Services: %14
    Package Name (NTLM only): %15
    Key Length: %16

    This seems to break the to_syslog_snare formatter, json and xml are unaffected by this.

    I've no idea why do those events contains placeholders instead of actual values - there seems to be a few such complaints on Microsoft's forums, but I've yet to find a solution.

  • b0ti's picture
    (NXLog)

    Event records in the windows eventlog are basically a reference to a message template (i.e. the above) stored along with the actual values that are substituted in place of the %<NUMBER>. The actual values are not getting properly substituted if you are seeing the percent symbols.
    Do you see the above rendered in Event Viewer the same way with the percent symbols or does it only appear without the proper values when collected by NXLog?

Answers (2)

Forwarded Events have EventData under a <RenderingInfo> element unlike normal windows eventlog records. This is not parsed by NXLog yet. I believe this is what you are missing.

Comments (1)

  • AmirG's picture

    I don't think that's it. On the Event Viewer I can see the <EventData> section of those event and, even if that's false, some of the events are being parsed properly. Here's a pair of 4624 events from the same computer (sanitized a bit):

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-09-04T13:27:44.191706600Z" />
    <EventRecordID>571838</EventRecordID>
    <Correlation />
    <Execution ProcessID="552" ThreadID="596" />
    <Channel>Security</Channel>
    <Computer>drXXXXfa.bezeqint.co.il</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DRXXXXFA$</Data>
    <Data Name="SubjectDomainName">BEZEQINT</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-5-21-37826006-529742403-XXXX-61242</Data>
    <Data Name="TargetUserName">ItzikM</Data>
    <Data Name="TargetDomainName">BEZEQINT</Data>
    <Data Name="TargetLogonId">0x31fe8387</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi</Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">DRXXXXFA</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0xcdc</Data>
    <Data Name="ProcessName">D:\Multi-Factor Authentication Server\MultiFactorAuthRadiusSvc.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
    <Data Name="ImpersonationLevel">%%1833</Data>
    </EventData>
    </Event>

    This one has been parsed properly.

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4624</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2018-09-04T13:24:39.169743200Z" />
    <EventRecordID>571832</EventRecordID>
    <Correlation />
    <Execution ProcessID="552" ThreadID="9932" />
    <Channel>Security</Channel>
    <Computer>drXXXXfa.bezeqint.co.il</Computer>
    <Security />
    </System>
    - <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">-</Data>
    <Data Name="SubjectDomainName">-</Data>
    <Data Name="SubjectLogonId">0x0</Data>
    <Data Name="TargetUserSid">S-1-5-21-37826006-529742403-XXXX-65760</Data>
    <Data Name="TargetUserName">PTXXXXFA$</Data>
    <Data Name="TargetDomainName">BEZEQINT</Data>
    <Data Name="TargetLogonId">0x31fdd1e8</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Kerberos</Data>
    <Data Name="AuthenticationPackageName">Kerberos</Data>
    <Data Name="WorkstationName" />
    <Data Name="LogonGuid">{B30829DB-EEDC-28C5-577E-183DDFC2CBF9}</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x0</Data>
    <Data Name="ProcessName">-</Data>
    <Data Name="IpAddress">172.XXXX.8</Data>
    <Data Name="IpPort">61065</Data>
    <Data Name="ImpersonationLevel">%%1833</Data>
    </EventData>
    </Event>

    While this one came with only its <System> segment parsed.

Looking at the data, it appears the issue is actually below.
<Data Name="WorkstationName" />

The CE version does not parse empty tags properly yet. This issue is resolved in the EE version.

Comments (6)

  • AmirG's picture

    I have just installed the EE trial with the same conf file I used for the CE and it behaves exactly like it - the same events have no <EventData>. Either the EE also can't handle empty tags, and that means that no-one can use it for Windows events, or I'm doing something wrong. I suspect the latter :-).

  • Novitski's picture

    Hello,

    I have same problem with nxlog CE v2.9.1716 , the eventdata is missing.

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-Base-Filtering-Engine-Connections" Guid="{GUID}" />
    <EventID>2000</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-09-21T14:33:55.162300100Z" />
    <EventRecordID>25825585</EventRecordID>
    <Correlation />
    <Execution ProcessID="332" ThreadID="2348" />
    <Channel>Microsoft-Windows-Base-Filtering-Engine-Connections/Operational</Channel>
    <Computer>xxxxxxxxxxxxxxxxx</Computer>
    <Security UserID="S-1-5-19" />
    </System>
    <EventData>
    <Data Name="ConnectionId">123323464646</Data>
    <Data Name="MachineAuthenticationMethod">4</Data>
    <Data Name="RemoteMachineAccount">xxxxxx.domain</Data>
    <Data Name="UserAuthenticationMethod">5</Data>
    <Data Name="RemoteUserAcount">domain\machine$</Data>
    <Data Name="RemoteIPAddress">IPV6</Data>
    <Data Name="LocalIPAddress">IPV6</Data>
    <Data Name="TechnologyProviderKey">{KEY}</Data>
    <Data Name="IPsecTrafficMode">1</Data>
    <Data Name="DHGroup">0</Data>
    <Data Name="StartTime">2018-09-21T14:33:55.162Z</Data>
    </EventData>
    </Event>

  • Zhengshi's picture
    (NXLog)

    To proceed any further, we would need the exported evtxfile as b0ti suggested. The source files can have different control characters, etc than pasted data, so it is always better for us to deal with the original file.