3
responses

I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me).
Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to.

This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream:

Group Membership:           
        %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123}
        %{S-1-1-0}
               ...
        %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234}
        %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345}
        %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456}

I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as:

<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog   
    ResolveSID  TRUE
</Input>

The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames.

I would like to be able to read the group membership information in a human-readable format rather than SIDs.
I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format.
I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names?

My questions are:
Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs?
If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format?
If this is not expected behaviour, how can I troubleshoot this further?

AskedMarch 15, 2020 - 11:25pm

Answer (1)

Hello,

Well, ResolveSID must work with Security ID's just fine.
Could you please to share NXlog config and logs with us? You can't do it here so don't you mind to duplicate this issue in our main support forum here?

Sincerely, Arch

Comments (2)

  • hip_nxlog's picture

    Hi Arch,
    Thank you for your response.
    Apologies for responding so late, I had thought I was checking for responses every day, but I somehow missed your reply - maybe I was only seeing a cached version of the page or something?

    It appears we do not have Enterprise Support, so am unable to open a support ticket.

    My confusion is that I'm not sure exactly what "ResolveSID=true" does. Does it resolve any SID anywhere so the output log stream looks exactly the same as the Windows log stream does in Event Viewer (i.e. all SIDs, whether they are usernames or groups, are resolved) or does it only resolve SIDs in certain known situations (e.g. just usernames)?

    Cheers

  • Arkadiy's picture
    (NXLog)

    Hello,

    Yeah, I thought you have access to the portal because you have EE, my bad.

    Regarding ResolveSID directive - we will make it to resolve groupnames SIDs as well as the usernames, thaks for your feedback.

    Regards, Arch.