AnsweredAssumed Answered

Problem with Windows events parsing - Security_4724

Question asked by David Bursik on Mar 19, 2014
Latest reply on Mar 20, 2014 by David Bursik

Hello everybody,

 

i am facing problem with Windows logs. I am trying to monitor Windows password reset events, but SA cannot parse whole message.

 

It looks like nothing more then header have been parsed.

 

Log looks like:

============================================

 

%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784170698 cid=0x00003600 eid=0x00001274,Wed Mar 19 10:01:38 2014,4724,Microsoft-Windows-Security-Auditing,None,Success Audit,dc01.domain.local,User Account Management,,An attempt was made to reset an account's password.  Subject:  Security ID:  DOMAIN/admin-user   Account Name:  admin-user   Account Domain:  DOMAIN   Logon ID:  0x1eeb24a   Target Account:  Security ID:  DOMAIN/john.doe   Account Name:  john.doe   Account Domain:  DOMAIN

 

============================================

 

In ESI it looks OK. Everything is parsed as it should be.

 

But when I try to look at log in SA there is just this:

============================================

 

%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784784984 cid=2620 eid=648,Wed Mar 19 13:39:00 2014,4724,Microsoft-Windows-Security-Auditing,,,dc01.domain.local,13824,,

 

 

Parsed META:

sessionid    =   1392895
time    =   2014-03-19T14:42:41.0
size    =   283
medium    =   32
device.type    =   "winevent_nic"
lc.cid    =   "siem02.domain.local"
forward.ip    =   127.0.0.1
device.ip    =   10.10.10.10

 

============================================

 

 

I also tryed to modify xml for windows to avoid non-compatible variables, but it didn't help me

 

Here is modified parser for this message:

============================================

 

<MESSAGE

  level="6"

  parse="1"

  parsedefvalue="1"

  tableid="85"

  id1="Security_4724_Microsoft-Windows-Security-Auditing"

  id2="Security_4724_Microsoft-Windows-Security-Auditing"

  eventcategory="1402040100"

  summary="NIC_B_WINDOWS;sumtype=11;|NIC_B_WINDOWS;key=event_computer;sumtype=12;|NIC_B_WINDOWS;key=event_type;sumtype=13;|NIC_B_WINDOWS;key=category;sumtype=14;|NIC_B_CATEGORIES;sumtype=denied_in;|NIC_B_CATEGORIES;subkey=event_log;sumtype=connection;"

  content="&lt;event_description&gt;  Subject:  Security ID:  &lt;uid&gt;   Account Name:  &lt;username&gt;   Account Domain:  &lt;domain&gt;   Logon ID:  &lt;sessionid&gt;   Target Account:  Security ID:  &lt;domain_id&gt;   Account Name:  &lt;c_username&gt;   Account Domain:  &lt;c_domain&gt;"/>

 

============================================

(Header 0004 is used to parse header)

 

 

 

Thanks for any help...

Outcomes