2
responses

Hello for, windows events proceed in JSON but some fields like "CommandLine", "TaskContent", "EventData" e.t.c arrives with XML escaping character, like
&lt; is <
&gt; is >
&amp; is &
&quot; is "

Is it possible to disable escaping globally?
Or the only option to solve the problem is using unescape_xml function for every field like:

$CommandLine = unescape_xml($CommandLine);
$TaskContent = unescape_xml($TaskContent);

AskedApril 18, 2020 - 6:48pm

Answer (1)

Hi,

Could you please paste your config here, it will help with answering your question.

~MisaZ

Comments (1)

  • RAZR's picture

    So this is my config, as you can see I need to unescape every variable

    if defined $TaskContent           { $TaskContent = unescape_xml($TaskContent); }
    if defined $TaskContentNew        { $TaskContentNew = unescape_xml($TaskContentNew); }
    if defined $CommandLine           { $CommandLine = unescape_xml($CommandLine); }
    if defined $EventData             { $EventData = unescape_xml($EventData); }
    

    or xml escaping symols in windows event

    Example Arguments in TaskContent EventID=4698

    <Arguments>/C cmd &gt; %windir%\\Temp\\qwert.tmp 2&gt;&amp;1</Arguments>
    

    Config:

    Panic Soft
    
    define ROOT C:\Program Files(x86)\nxlog
    
    ModuleDir %ROOT%\modules
    CacheDir  %ROOT%\data
    SpoolDir  %ROOT%\data
    #LogLevel DEBUG
    
    define LOGDIR %ROOT%\data
    define MYLOGFILE %LOGDIR%\nxlog.log
    LogFile %MYLOGFILE%
    
    <Extension json>
        Module  xm_json
    </Extension>
    
    <Extension _syslog>
        Module  xm_syslog
    </Extension>
    
    <Extension _fileop>
        Module  xm_fileop
    
        # Check the size of our log file hourly, rotate if larger than 5MB
        <Schedule>
            Every   1 hour
            <Exec>
                if ( file_exists('%MYLOGFILE%') and
                     (file_size('%MYLOGFILE%') >= 5M) )
                {
                     file_cycle('%MYLOGFILE%', 8);
                }
            </Exec>
        </Schedule>
    
        # Rotate our log file every week on Sunday at midnight
        <Schedule>
            When    @weekly
            Exec    if file_exists('%MYLOGFILE%') file_cycle('%MYLOGFILE%', 8);
        </Schedule>
    </Extension>
    
    
    <Input winlog>
        Module im_msvistalog
        TolerateQueryErrors TRUE
    <QueryXML>
      <QueryList>
      <Query Id="0" Path="Security">
        <Select Path="Security">*</Select>
        <Suppress Path="Security">*[System[(EventID=4656 or EventID=4658)]]</Suppress>
      </Query>
      </QueryList>
    </QueryXML>
    
    <Exec>
    if defined $TaskContent           { $TaskContent = unescape_xml($TaskContent); }
    if defined $TaskContentNew        { $TaskContentNew = unescape_xml($TaskContentNew); }
    if defined $CommandLine           { $CommandLine = unescape_xml($CommandLine); }
    if defined $EventData             { $EventData = unescape_xml($EventData); }
    if defined $UserData              { parse_xml($UserData); }
    
    $event_log_source = "windows";
    if $EventType == "AUDIT_SUCCESS" {$EventCategory="Success Audit";}
    if $EventType == "AUDIT_FAILURE" {$EventCategory="Failure Audit";}
    </Exec>
    </Input>
    
    <Output syslog>
        Module      om_tcp
        Host        192.168.1.9
        Port        1520
        Exec $Message = to_json(); to_syslog_bsd();
    </Output>
    
    <Route win>
        Path winlog => syslog
    </Route>