6
responses

I am trying to send parse each of these XML fields into a field for graylog to handle, any ideas would help.

I've added

<Extension xml>
    Module  xm_xml
</Extension>

and Exec parse_windows_eventlog_xml(); to_xml();

but I'm not sure what else to do, I'm trying to work with this in the 'message' field

The Federation Service validated a new credential. See XML for details. 

Activity ID: 494a36f8-9b89-4477-8676-0080000000e1 

Additional Data 
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
  <AuditType>FreshCredentials</AuditType>
  <AuditResult>Success</AuditResult>
  <FailureType>None</FailureType>
  <ErrorCode>N/A</ErrorCode>
  <ContextComponents>
    <Component xsi:type="ResourceAuditComponent">
      <RelyingParty>https://xxxxxx.xxxxxxx.edu/adfs/services/trust</RelyingParty>
      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
      <UserId>UNIVERSITY\xxxxxxxxxxxxxx</UserId>
    </Component>
    <Component xsi:type="AuthNAuditComponent">
      <PrimaryAuth>N/A</PrimaryAuth>
      <DeviceAuth>false</DeviceAuth>
      <DeviceId>N/A</DeviceId>
      <MfaPerformed>false</MfaPerformed>
      <MfaMethod>N/A</MfaMethod>
      <TokenBindingProvidedId>false</TokenBindingProvidedId>
      <TokenBindingReferredId>false</TokenBindingReferredId>
      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
    </Component>
    <Component xsi:type="ProtocolAuditComponent">
      <OAuthClientId>N/A</OAuthClientId>
      <OAuthGrant>N/A</OAuthGrant>
    </Component>
    <Component xsi:type="RequestAuditComponent">
      <Server>https://xxxxx.xxxxxx.edu/adfs/services/trust</Server>
      <AuthProtocol>WSFederation</AuthProtocol>
      <NetworkLocation>Intranet</NetworkLocation>
      <IpAddress>x.x.94.22</IpAddress>
      <ForwardedIpAddress>x.x.128.226</ForwardedIpAddress>
      <ProxyIpAddress>N/A</ProxyIpAddress>
      <NetworkIpAddress>N/A</NetworkIpAddress>
      <ProxyServer>N/A</ProxyServer>
      <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0</UserAgentString>
      <Endpoint>/adfs/ls/</Endpoint>
    </Component>
  </ContextComponents>
</AuditBase>
AskedJuly 13, 2020 - 11:27pm

Comments (6)

  • giveen's picture

    <Extension xml>
        Module  xm_xml
    </Extension>
    <Extension _gelf>
        Module      xm_gelf
        ShortMessageLength 64000
    </Extension>
    #Which Windows logs to send
    <Input eventlog>
        Module      im_msvistalog
        Query       <QueryList>\
                       <Query Id="0">\
                            <Select Path="ADFS">*</Select>\
                            <Select Path="Domain Controllers">*</Select>\
                        </Query>\
                    </QueryList>
    # Only send new logs
      SavePos TRUE
      ReadFromLast TRUE
      Exec    parse_windows_eventlog_xml(); to_xml();
    </Input>
    <Processor norepeat>
        Module      pm_norepeat
        CheckFields Hostname, SourceName, Message
    </Processor>
    
    <Output udp>
      Module om_udp
      Host x.x.x.x
      Port 12201
      OutputType  GELF
    </Output>
    
    <Route eventlog_to_udp>
      Path eventlog => norepeat => udp
    </Route>
    

  • manuel.munoz's picture
    (NXLog)

    Maybe you want to use om_file in order to check locally if there is some output. Also you could write a log_info($raw_event); call in your input module to check if there are events being captured by it.

  • giveen's picture

    So I am seeing the logs on my graylog server, no issue, I'm having a hard time getting each separate xml field to separate into its own field.

Answers (0)