3
responses
responses
Hello!
I noticed that the value of the ProcessID field in sysmon event does not match the value of the ProcessID field which is nested in the Message field. Is it normal?
The sample sysmon event from https://nxlog.co/documentation/nxlog-user-guide/sysmon.html is bellow
{
"EventTime": "2015-04-27 15:23:46",
"Hostname": "WIN-OUNNPISDHIG",
"Keywords": -9223372036854776000,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1,
"SourceName": "Microsoft-Windows-Sysmon",
"ProviderGuid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"Version": 3,
"Task": 1,
"OpcodeValue": 0,
"RecordNumber": 2335906,
"ProcessID": 1680,
"ThreadID": 1728,
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "SYSTEM",
"AccountType": "Well Known Group",
"Message": "Process Create:\r\nUtcTime: 2015.04.27. 13:23\r\nProcessGuid: {00000000-3862-553E-0000-001051D40527}\r\nProcessId: 25848\r\nImage: c:\\Program Files (x86)\\nxlog\\nxlog.exe\r\nCommandLine: \"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f\r\nUser: WIN-OUNNPISDHIG\\Administrator\r\nLogonGuid: {00000000-568E-5453-0000-0020D5ED0400}\r\nLogonId: 0x4edd5\r\nTerminalSessionId: 2\r\nIntegrityLevel: High\r\nHashType: SHA1\r\nHash: 1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94\r\nParentProcessGuid: {00000000-3862-553E-0000-001088D30527}\r\nParentProcessId: 26544\r\nParentImage: C:\\msys\\1.0\\bin\\sh.exe\r\nParentCommandLine: C:\\msys\\1.0\\bin\\sh.exe",
"Opcode": "Info",
"UtcTime": "2015.04.27. 13:23",
"ProcessGuid": "{00000000-3862-553E-0000-001051D40527}",
"Image": "c:\\Program Files (x86)\\nxlog\\nxlog.exe",
"CommandLine": "\"c:\\Program Files (x86)\\nxlog\\nxlog.exe\" -f",
"User": "WIN-OUNNPISDHIG\\Administrator",
"LogonGuid": "{00000000-568E-5453-0000-0020D5ED0400}",
"LogonId": "0x4edd5",
"TerminalSessionId": "2",
"IntegrityLevel": "High",
"HashType": "SHA1",
"Hash": "1DCE4B0F24C40473CE7B2C57EB4F7E9E3E14BF94",
"ParentProcessGuid": "{00000000-3862-553E-0000-001088D30527}",
"ParentProcessId": "26544",
"ParentImage": "C:\\msys\\1.0\\bin\\sh.exe",
"ParentCommandLine": "C:\\msys\\1.0\\bin\\sh.exe",
"EventReceivedTime": "2015-04-27 15:23:47",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog"
}
Comments (2)
Thanks for the response.
Is it possible parse the nested ProccesID field by NXLog?
For example, can I create a new field with the value of the nested ProccesID?
I think the NXLog Enterprise Edition now uses
ExecutionProcessID
for the basic eventlog field so that it does not conflict with the one that Sysmon generates.