You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "James Sirota (JIRA)" <ji...@apache.org> on 2016/06/02 05:33:59 UTC

[jira] [Updated] (METRON-165) Create Windows Syslog Parser

     [ https://issues.apache.org/jira/browse/METRON-165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Sirota updated METRON-165:
--------------------------------
    Labels: ParserExtension  (was: )

> Create Windows Syslog Parser
> ----------------------------
>
>                 Key: METRON-165
>                 URL: https://issues.apache.org/jira/browse/METRON-165
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Deeptaanshu Kumar
>              Labels: ParserExtension
>
> Create a parser for Windows Sylog.
> Below are sample messages and their expected parsed output:
> <13> ABC 02/05/2016 09:54:39 AM
> LogName=Security
> SourceName=Microsoft Windows security auditing.
> EventCode=4624
> EventType=0
> Type=Information
> ComputerName=ABC.google.com
> TaskCategory=Logon
> OpCode=Info
> RecordNumber=112720121
> Keywords=Audit Success
> Message=An account was successfully logged on.
> Subject:
> 	Security ID:		NULL SID
> 	Account Name:		-
> 	Account Domain:		-
> 	Logon ID:		0x0
> Logon Type:			3
> New Logon:
> 	Security ID:		ABC
> 	Account Name:		ABC
> 	Account Domain:		ABC
> 	Logon ID:		0x4e149e04
> 	Logon GUID:		{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}
> Process Information:
> 	Process ID:		0x0
> 	Process Name:		-
> Network Information:
> 	Workstation Name:	
> 	Source Network Address:	10.0.0.0
> 	Source Port:		64340
> Detailed Authentication Information:
> 	Logon Process:		Kerberos
> 	Authentication Package:	Kerberos
> 	Transited Services:	-
> 	Package Name (NTLM only):	-
> 	Key Length:		0
> This event is generated when a logon session is created. It is generated on the computer that was accessed.
> The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
> The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
> The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
> The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
> The authentication information fields provide detailed information about this specific logon request.
> 	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
> 	- Transited services indicate which intermediate services have participated in this logon request.
> 	- Package name indicates which sub-protocol was used among the NTLM protocols.
> 	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
> Here is the sample output:
> {"computer_name":"ABC.google.com","keywords":"Audit Success","log_name":"Security","record_number":"112720121","device_generated_timestamp":1454666079000,"source_type":"Windows Syslog","message":"An account was successfully logged on.\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew Logon:\n\tSecurity ID:\t\tABC\\ABC\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon ID:\t\t0x4e149e04\n\tLogon GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t10.0.0.0\n\tSource Port:\t\t64340\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\n","type":"Information","op_code":"Info","original_string":"<13> BNY387S1 02\/05\/2016 09:54:39 AM\nLogName=Security\nSourceName=Microsoft Windows security auditing.\nEventCode=4624\nEventType=0\nType=Information\nComputerName=ABC.google.com\nTaskCategory=Logon\nOpCode=Info\nRecordNumber=112720121\nKeywords=Audit Success\nMessage=An account was successfully logged on.\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew Logon:\n\tSecurity ID:\t\tABC$\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon ID:\t\t0x4e149e04\n\tLogon GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t10.136.56.211\n\tSource Port:\t\t64340\nDetailed Authentication Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\n","event_type":"0","event_code":"4624","computer_name_simple":"ABC","ingest_timestamp":1463505709609,"task_category":"Logon","source_name":"Microsoft Windows security auditing.","timestamp":1454666079000}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)