Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Parse Applications and Service Logs #11

Open
bcharboneauiherb opened this issue Jan 15, 2018 · 3 comments
Open

Feature Request: Parse Applications and Service Logs #11

bcharboneauiherb opened this issue Jan 15, 2018 · 3 comments
Labels
in_windows_eventlog(old) For old in_windows_eventlog plugin issue

Comments

@bcharboneauiherb
Copy link

We Run Sysmon on our servers and we would like to parse the Applications and Service Logs\Microsoft\Windows\Sysmon\Operational Log

The Log format is below. Hope you can help. Some info has been obscured for security purposes.

Network connection detected:
UtcTime: 2018-01-15 20:21:12.958
ProcessGuid: {2d8e38d1-5fa9-5a4d-0000-001022780800}
ProcessId: 11556
Image: D:\Program Files (x86)\Websense\Web Security\bin\BrokerService.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: false
SourceIsIpv6: false
SourceIp: X.X.X.X
SourceHostname: sytemname1.example.com
SourcePort: 55880
SourcePortName:
DestinationIsIpv6: false
DestinationIp: X.X.X.X
DestinationHostname: sytemname2.example.com
DestinationPort: 48792
DestinationPortName:
@juju4
Copy link

juju4 commented Sep 1, 2018

Sysmon is not the only log for which parse_description true get a null description_title as output.

With current td-agent 3.1.1/fluentd 1.0.2 and plugin 0.2.2, also get it for:

microsoft-windows-terminalservices-remoteconnectionmanager/operational
microsoft-windows-windows defender/operational
microsoft-windows-remotedesktopservices-rdpcorets/operational
microsoft-windows-taskscheduler/operational
microsoft-windows-wmi-activity/operational
microsoft-windows-sysmon/operational
microsoft-windows-powershell/operational
microsoft-windows-terminalservices-localsessionmanager/operational

Any pointer how to improve parsing? seems some work needed in win32-eventlog from #8 but pending since long.

Thanks

@repeatedly
Copy link
Member

Sorry, I missed this issue.

fluent-plugin-windows-eventlog/lib/fluent/plugin/in_windows_eventlog.rb

Line 197 in 528290d

def parse_desc(record)

If the delimiter of description is not popular value, one way is check delimiter before parsing like below

case
when desc.index(GROUP_DELIMITER) # if GROUP_DELIMITER found, the value is standard event.
  parse_standard_desc(desc)
when desc.index("your sysmon value delimiter")
  parse_sysmon_desc(desc)
end

@cosmo0920 cosmo0920 added the in_windows_eventlog(old) For old in_windows_eventlog plugin issue label Jan 28, 2020
@veno07
Copy link

veno07 commented Feb 19, 2021
edited
Loading

Hi, your suggested method seems to make sense. May I check if your have a .rb file that has included the suggested Sysmon delimiter \r\n?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in_windows_eventlog(old) For old in_windows_eventlog plugin issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@repeatedly @cosmo0920 @juju4 @bcharboneauiherb @veno07