-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: more keys or dynamic keys #8
Comments
Which fields do you want? Sorry, I'm not familiar with winlogbeat. |
Hi @repeatedly, Sorry for the delay in my response.
We're interested in the EventData. Start > eventvwr.msc > Windows Logs > Security > Details. I've included a detailed Logon category entry below.
Hmm, if I understand this correctly, we need the event data from EVENTLOGRECORD : https://msdn.microsoft.com/en-us/library/windows/desktop/aa363650(v=vs.85).aspx This unfortunately is not consumed by win32-eventlog: It looks like someone tried to extend this in https://github.com/djberg96/win32-eventlog/pull/21/files; however, as you can see it's been languishing since June 2016. David
|
Doesn't win32-eventlog retrieve EventData as |
Hi @igorpeshansky, Thanks a lot for your reply. I reviewed your PR and it seems to leverage https://github.com/djberg96/win32-eventlog/blob/ffi2/lib/win32/eventlog.rb#L580. If I understand this correctly ... an array of insertion strings is returned:
I upgraded fluent-plugin-windows-eventlog to v0.2.1 and I now see the insertion strings:
However, they aren't terribly useful, because they have no structure. It's a shame that FormatMessage (?) wasn't used to generate the keys. The description element has a similar problem in that's it's just a big blob of text (new lines added for readability):
As I mentioned earlier, for now we ended up going with winlogbeat, because out of the box the data is well structured. It seems they chose to go down the XML path: https://github.com/elastic/beats/blob/c821b84cf55f88778c9702a60aea52c52d5643d7/winlogbeat/eventlog/wineventlog.go#L80. If you keep following you'll eventually reach https://msdn.microsoft.com/en-us/library/windows/desktop/aa385471%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396. I don't know what the answer is here ... but the unstructured data is a show stopper for us. David |
Tryied to implement fluentd for windows environment and hit the same problem. |
https://github.com/fluent/fluent-plugin-windows-eventlog#parse_description-details |
string_inserts and description fields are not structure, that makes pattern analysis and event correlation very complicated, requiring additional parsing, processing etc. If there would be just a way to structure them... Basically Logs collected by Fluentd windows version cannot be processed by most SIEM, IPS/IDS solutions without additional adapter or extensive parsing rules. I do understand that it's mostly win32-eventlog problem though... We've tried to fork and fix win32-eventlog, but the effort looks to be just too big... :( Sorry, this comment might be very emotional. I was trying to get it working for last 4 months, without any good success. |
If I am correct with my digging the problem consists in parsing of following structures: |
With |
Hello,
The v0.14 fluentd MSI is great, much easier than the approach on v0.12, many thanks!
We've been comparing winlogbeat to fluent-plugin-windows-eventlog. One big disadvantage to fluentd is the small key/field list. Our particular use case involves the information in the event_data element for security events.
For now, I guess we're stuck with winlogbeat, but I might be able to contribute a PR in the future. Maybe a more dynamic XML to JSON approach would be feasible such that keys/fields are dynamically generated?
The text was updated successfully, but these errors were encountered: