1
response

Hi Everybody,

I'm trying to forward osquery logs stored in windows event log. That part seems to work, except that the "message" field inside of EventData isn't included. However, the "Location" field inside of EventData is. I'm thinking that since the name the location field is just "location", the message field should be message. It looks like the message field exists, and just contains generic text instead of the data. I'm wondering if the two names (Message, and EventData.Message) are in conflict. Is that a possibility? Is there a way to read EventData fields as "EventData.Fieldname" instead of just "FieldName"?

A snippit of the to_json() output:
"AccountType":"User","Message":"Information","Location":"<empty>:0"

A snippit from the event viewer xml view:
<EventData>
<Data Name="Message">{"name":"disk_info","hostIdentifier":"XXXXXXXXX","calendarTime":"Fri Jan 15 15:16:57 2021 UTC","

Thanks

AskedJanuary 15, 2021 - 5:35pm

Answer (1)

I am afraid that option is available for im_msvistalog only in Enterprise Edition.

AddPrefix
If this boolean directive is set to TRUE, names of fields parsed from the <EventData> portion of the event XML will be prefixed with EventData.. For example, $EventData.SubjectUserName will be added to the event record instead of $SubjectUserName. The same applies to <UserData>. This directive defaults to FALSE: field names will not be prefixed.