Dear NXlog community,

I am using nxlog on a windows 2003 environment and i am having some problems with windows failed authentication events.  All entry's with EventID 675 contain the AccountName "SYSTEM" in stead of the username that the failed authentication is for. I couldnt get it to work with pattern matching in nxlog but as i have never used this before i am probably doing something wrong. I would really like to get some statistics of this and get the user name in the AccountName field.

For example kibana is reporting:

AccountName        SYSTEM
AccountType        User
Category        Account Logon
CategoryNumber        9
Domain            NT AUTHORITY
EventID            675
EventType        AUDIT_FAILURE
FileName        Security
Hostname        SomeHostName
Severity        ERROR
SeverityValue        4
SourceModuleName    eventlog
SourceModuleType    im_mseventlog
SourceName        Security
host            SomeHostName.SomeDomain
message            Pre-authentication failed:
             User Name: [username]
             User ID: %{some user id}
             Service Name: krbtgt/office Pre-Authentication
             Type: 0x0 Failure Code: 0x19
             Client Address: [ip address]


Any help is appreciated!

AskedFebruary 24, 2015 - 4:28pm

Answer (1)

Windows 2003 uses the older eventlog API and there are only the standard eventlog fields available, on Windows Vista and later you get more fields from the security logs (i.e. TargetUsername, SubjectUserName).  The value of TargetUserName one is only available in the Message field on w2k3 so you will need to extract it with a regexp.

You can add the following to your nxlog.conf to extract :

Exec if ($EventID == 675) and ($Message =~ /User Name: (\S+)/) { $TargetUserName = $1; }

The other option is to use pm_pattern. This is recommended if you need to use a lot of extraction and classification rules.

Comments (1)

  • pk21's picture

    With win2008 and higher I indeed have no problems getting the information i want.

    I have tested your solution and after a little troubleshooting it works!

    It appeart there is a tab after the "User Name:" field in stead of a space so I had to change the line to

      Exec if ($EventID == 675) and ($Message =~ /User Name:\t(\S+)/)  { $TargetUserName = $1; }

    Thanks for the help!!