Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winevtlog string inserts to retain key value paris #9956

Open
Skr00b opened this issue Feb 19, 2025 · 1 comment
Open

winevtlog string inserts to retain key value paris #9956

Skr00b opened this issue Feb 19, 2025 · 1 comment

Comments

@Skr00b
Copy link

Skr00b commented Feb 19, 2025
edited
Loading

Is your feature request related to a problem? Please describe.
When using winevtlog and using string inserts they are ingested as an array and they end up loosing the key value pairs assoiciated in the windows event data

Describe the solution you'd like
Ability to have an option to keep these or not when configuring winevtlog

Describe alternatives you've considered
Rendering as XML then parsing that, but not as efficient.

Additional context
For example when looking at Windows Event 4264 for successful logon:

The Event data is the following:

<EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">REDACTED$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TargetUserSid">S-1-5-21-1072513571-3414291919-2907362238-500</Data> 
  <Data Name="TargetUserName">Administrator</Data> 
  <Data Name="TargetDomainName">REDACTED</Data> 
  <Data Name="TargetLogonId">0x1179c0da</Data> 
  <Data Name="LogonType">7</Data> 
  <Data Name="LogonProcessName">User32</Data> 
  <Data Name="AuthenticationPackageName">Negotiate</Data> 
  <Data Name="WorkstationName">REDACTED</Data> 
  <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="TransmittedServices">-</Data> 
  <Data Name="LmPackageName">-</Data> 
  <Data Name="KeyLength">0</Data> 
  <Data Name="ProcessId">0x9f8</Data> 
  <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> 
  <Data Name="IpAddress">REDACTED</Data> 
  <Data Name="IpPort">0</Data> 
  <Data Name="ImpersonationLevel">%%1833</Data> 
  <Data Name="RestrictedAdminMode">-</Data> 
  <Data Name="RemoteCredentialGuard">-</Data> 
  <Data Name="TargetOutboundUserName">-</Data> 
  <Data Name="TargetOutboundDomainName">-</Data> 
  <Data Name="VirtualAccount">%%1843</Data> 
  <Data Name="TargetLinkedLogonId">0x0</Data> 
  <Data Name="ElevatedToken">%%1842</Data> 
  </EventData>
  </Event>

Fluentbit output is:
"StringInserts":["S-1-0-0","-","-","0x0","S-1-5-21-1072513571-3414291919-2907362238-500","Administrator","REDACTED","0x179f8001",3,"NtLmSsp ","NTLM","REDACTED","{00000000-0000-0000-0000-000000000000}","-","NTLM V2",128,"0x0","-","192.168.15.92","0","%%1833","-","-","-","-","%%1843","0x0","%%1842"]

It would be great to retain the associated names with each value as a nested JSON or something similar.
EX: {"TargetUserName":"Administrator","LogonType":"7"} and so on

If this already exists please let me know if I missed anything
@Skr00b
Copy link
Author

Skr00b commented Feb 21, 2025

Fluentbit conf file:

[INPUT]
    Name         winevtlog
    Channels     Application,System,Security,Setup,Windows PowerShell
    String_Inserts true
    DB           winevents.sqlite
    Interval_Sec 1

[OUTPUT]
    Name file
    Match *
    File C:\\tmp\\winevtlog.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Skr00b