Request trial
Request Trial

Does the im_vistalog ResolveSID directive in NXLog EE also resolve Group SIDs?

Tags:
#1 hip_nxlog

I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me).
Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to.

This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream:

Group Membership:			
		%{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123}
		%{S-1-1-0}
               ...
		%{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234}
		%{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345}
		%{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456}

I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as:

<Input in>
    # For windows vista/2008 and above use:
    Module      im_msvistalog	
    ResolveSID  TRUE
</Input>

The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames.

I would like to be able to read the group membership information in a human-readable format rather than SIDs.
I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format.
I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names?

My questions are:
Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs?
If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format?
If this is not expected behaviour, how can I troubleshoot this further?

Permalink
#2 ArkadiyDeactivated Nxlog ✓
#1 hip_nxlog
I've noticed that the "GroupMembership" and "full_message" fields in Windows security logs for EventID 4627 contains unresolved Group SIDs (at least they look like SIDs to me). Event 4627 is generated along with event 4624 (successful account logon) and shows the entire list of groups that the particular logged-on account belongs to. This shows a list of groups that the user is a member of in Windows Event Viewer, but it looks like the following in our output stream: Group Membership: %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-123} %{S-1-1-0} ... %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-1234} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-2345} %{S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-3456} I am running version 4.7.4715 64-bit Enterprise Edition (non-trial) and my config file has the input defined as: <Input in> # For windows vista/2008 and above use: Module im_msvistalog ResolveSID TRUE </Input> The username seems to be resolving correctly (or at least the "TargetUserSid"/"TargetUserName" fields both show a valid username and not a SID), so I believe the "ResolveSID" option is working correctly for usernames. I would like to be able to read the group membership information in a human-readable format rather than SIDs. I thought that "ResolveSID TRUE" would convert all instances of SIDs into human-readable format. I'm a little confused on the implementation specifics because I see the documentation (https://nxlog.co/documentation/nxlog-user-guide/im_msvistalog.html) only specifically mentions user names "ResolveSID This optional boolean directive specifies that SID values should be resolved to user names in the ...", so am I wrong in assuming that group membership SIDs would also be resolved since they are not user names? My questions are: Should the group SIDs be resolving into human-readable format when ResolveSID=true? Or is the expected behaviour that they remain as SIDs? If this is expected behaviour, are there any plans for incorporating this feature in a later release of NXLog? Is there anyway I can convert the group SIDs into human-readable format? If this is not expected behaviour, how can I troubleshoot this further?

Hello,

Well, ResolveSID must work with Security ID's just fine.
Could you please to share NXlog config and logs with us? You can't do it here so don't you mind to duplicate this issue in our main support forum here?

Sincerely, Arch
Login to see more

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS