AnsweredAssumed Answered

Problem with Windows events parsing - Security_4724

Question asked by David Bursik on Mar 19, 2014
Latest reply on Mar 20, 2014 by David Bursik

Hello everybody,


i am facing problem with Windows logs. I am trying to monitor Windows password reset events, but SA cannot parse whole message.


It looks like nothing more then header have been parsed.


Log looks like:



%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784170698 cid=0x00003600 eid=0x00001274,Wed Mar 19 10:01:38 2014,4724,Microsoft-Windows-Security-Auditing,None,Success Audit,dc01.domain.local,User Account Management,,An attempt was made to reset an account's password.  Subject:  Security ID:  DOMAIN/admin-user   Account Name:  admin-user   Account Domain:  DOMAIN   Logon ID:  0x1eeb24a   Target Account:  Security ID:  DOMAIN/john.doe   Account Name:  john.doe   Account Domain:  DOMAIN




In ESI it looks OK. Everything is parsed as it should be.


But when I try to look at log in SA there is just this:



%NICWIN-4-Security_4724_Microsoft-Windows-Security-Auditing: Security,rn=1784784984 cid=2620 eid=648,Wed Mar 19 13:39:00 2014,4724,Microsoft-Windows-Security-Auditing,,,dc01.domain.local,13824,,



Parsed META:

sessionid    =   1392895
time    =   2014-03-19T14:42:41.0
size    =   283
medium    =   32
device.type    =   "winevent_nic"
lc.cid    =   "siem02.domain.local"
forward.ip    =
device.ip    =





I also tryed to modify xml for windows to avoid non-compatible variables, but it didn't help me


Here is modified parser for this message:












  content="&lt;event_description&gt;  Subject:  Security ID:  &lt;uid&gt;   Account Name:  &lt;username&gt;   Account Domain:  &lt;domain&gt;   Logon ID:  &lt;sessionid&gt;   Target Account:  Security ID:  &lt;domain_id&gt;   Account Name:  &lt;c_username&gt;   Account Domain:  &lt;c_domain&gt;"/>



(Header 0004 is used to parse header)




Thanks for any help...