fluent-plugin-windows-eventlog icon indicating copy to clipboard operation
fluent-plugin-windows-eventlog copied to clipboard

Published 20 hours ago verified publisher icon fluent

Feature Request: Parse Applications and Service Logs

Open bcharboneauiherb opened this issue 7 years ago • 3 comments

We Run Sysmon on our servers and we would like to parse the Applications and Service Logs\Microsoft\Windows\Sysmon\Operational Log

The Log format is below. Hope you can help. Some info has been obscured for security purposes.

Network connection detected: UtcTime: 2018-01-15 20:21:12.958 ProcessGuid: {2d8e38d1-5fa9-5a4d-0000-001022780800} ProcessId: 11556 Image: D:\Program Files (x86)\Websense\Web Security\bin\BrokerService.exe User: NT AUTHORITY\SYSTEM Protocol: tcp Initiated: false SourceIsIpv6: false SourceIp: X.X.X.X SourceHostname: sytemname1.example.com SourcePort: 55880 SourcePortName: DestinationIsIpv6: false DestinationIp: X.X.X.X DestinationHostname: sytemname2.example.com DestinationPort: 48792 DestinationPortName:

bcharboneauiherb avatar Jan 15 '18 20:01 bcharboneauiherb

Sysmon is not the only log for which parse_description true get a null description_title as output.

With current td-agent 3.1.1/fluentd 1.0.2 and plugin 0.2.2, also get it for:

microsoft-windows-terminalservices-remoteconnectionmanager/operational microsoft-windows-windows defender/operational microsoft-windows-remotedesktopservices-rdpcorets/operational microsoft-windows-taskscheduler/operational microsoft-windows-wmi-activity/operational microsoft-windows-sysmon/operational microsoft-windows-powershell/operational microsoft-windows-terminalservices-localsessionmanager/operational

Any pointer how to improve parsing? seems some work needed in win32-eventlog from https://github.com/fluent/fluent-plugin-windows-eventlog/issues/8 but pending since long.

Thanks

juju4 avatar Sep 01 '18 23:09 juju4

Sorry, I missed this issue.

https://github.com/fluent/fluent-plugin-windows-eventlog/blob/528290d896a885c7721f850943daa3a43a015f3d/lib/fluent/plugin/in_windows_eventlog.rb#L197

If the delimiter of description is not popular value, one way is check delimiter before parsing like below

case
when desc.index(GROUP_DELIMITER) # if GROUP_DELIMITER found, the value is standard event.
  parse_standard_desc(desc)
when desc.index("your sysmon value delimiter")
  parse_sysmon_desc(desc)
end

repeatedly avatar Jan 17 '19 13:01 repeatedly

Hi, your suggested method seems to make sense. May I check if your have a .rb file that has included the suggested Sysmon delimiter \r\n?

veno07 avatar Feb 19 '21 05:02 veno07