Windows Events appear with escaping xml characters

Post a different question
2
responses

Hello for, windows events proceed in JSON but some fields like "CommandLine", "TaskContent", "EventData" e.t.c arrives with XML escaping character, like
&lt; is <
&gt; is >
&amp; is &
&quot; is "

Is it possible to disable escaping globally?
Or the only option to solve the problem is using unescape_xml function for every field like:

$CommandLine = unescape_xml($CommandLine);
$TaskContent = unescape_xml($TaskContent);

AskedApril 18, 2020 - 6:48pm

Answer (1)

Hi,

Could you please paste your config here, it will help with answering your question.

~MisaZ

AnsweredMay 5, 2020 - 7:48pm

Comments (1)

  • RAZR's picture

    So this is my config, as you can see I need to unescape every variable

    if defined $TaskContent           { $TaskContent = unescape_xml($TaskContent); }
if defined $TaskContentNew        { $TaskContentNew = unescape_xml($TaskContentNew); }
if defined $CommandLine           { $CommandLine = unescape_xml($CommandLine); }
if defined $EventData             { $EventData = unescape_xml($EventData); }

    or xml escaping symols in windows event

    Example Arguments in TaskContent EventID=4698

    <Arguments>/C cmd &gt; %windir%\\Temp\\qwert.tmp 2&gt;&amp;1</Arguments>

    Config:

    Panic Soft

define ROOT C:\Program Files(x86)\nxlog

ModuleDir %ROOT%\modules
CacheDir  %ROOT%\data
SpoolDir  %ROOT%\data
#LogLevel DEBUG

define LOGDIR %ROOT%\data
define MYLOGFILE %LOGDIR%\nxlog.log
LogFile %MYLOGFILE%

<Extension json>
    Module  xm_json
</Extension>

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Extension _fileop>
    Module  xm_fileop

    # Check the size of our log file hourly, rotate if larger than 5MB
    <Schedule>
        Every   1 hour
        <Exec>
            if ( file_exists('%MYLOGFILE%') and
                 (file_size('%MYLOGFILE%') >= 5M) )
            {
                 file_cycle('%MYLOGFILE%', 8);
            }
        </Exec>
    </Schedule>

    # Rotate our log file every week on Sunday at midnight
    <Schedule>
        When    @weekly
        Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
    </Schedule>
</Extension>


<Input winlog>
    Module im_msvistalog
    TolerateQueryErrors TRUE
<QueryXML>
  <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">*</Select>
    <Suppress Path="Security">*[System[(EventID=4656 or EventID=4658)]]</Suppress>
  </Query>
  </QueryList>
</QueryXML>

<Exec>
if defined $TaskContent           { $TaskContent = unescape_xml($TaskContent); }
if defined $TaskContentNew        { $TaskContentNew = unescape_xml($TaskContentNew); }
if defined $CommandLine           { $CommandLine = unescape_xml($CommandLine); }
if defined $EventData             { $EventData = unescape_xml($EventData); }
if defined $UserData              { parse_xml($UserData); }

$event_log_source = "windows";
if $EventType == "AUDIT_SUCCESS" {$EventCategory="Success Audit";}
if $EventType == "AUDIT_FAILURE" {$EventCategory="Failure Audit";}
</Exec>
</Input>

<Output syslog>
    Module      om_tcp
    Host        192.168.1.9
    Port        1520
    Exec $Message = to_json(); to_syslog_bsd();
</Output>

<Route win>
    Path winlog => syslog
</Route>

    May 7, 2020 - 3:51pm