Winlogbeat: Problem to get fields from nested winevent message

Pedro_77 · September 23, 2020, 9:40pm

Hello

I have problem with winlogbeat (7.9.1) I'm trying to get fields which are "nested" in message field: for example:

"message": Endpoint: xxxyy211\n
                      Endpoint IP: 10.1.1.x\n
                     Domain: Agents\\xxx\\update\\\n
                     Date/Time: 22.09.2020 13:43:16\n
                    Detailed information:

All other "normal" fields can be filtered and indexed without any problem
Not sure if this is important but this winlog event is from Trendmicro AV system

Thanks for help
Pedro

andrewkroh · September 24, 2020, 3:54am

What fields are there in winlog.event_data.*?

The data you want might already be in there. For most Windows events that's where you'll find the raw data that contributes to the message. But for third-party events you sometime just get a single string. When that happens you have to parse the message with tools like dissect or grok processors.

Pedro_77 · September 24, 2020, 8:42pm

Hello,

In message and in winlog.event_data.param1 i have exactly the same content. Have You maybe example how to retrieve all these fields as seperate?

message
Endpoint: xxx
Endpoint IP: 10.10.0.90
Domain: Agents
Date/Time: 21.09.2020 09:25:57
Detailed information:
[HKTL_AUTOKMS]
Location = D:\Recovered data 02-10 14_07_13\Lost Partition\Users\Public\Documents\SPHE\downloads\Microsoft Office 2016 VL ProPlus English (x86-x64) June 2016\Office_2016_ProPlus_64Bit_EN_06.2016\Bonus\Microsoft Toolkit 2.6 BETA 5\Microsoft Toolkit.exe
Scan Type = File System
Threat Type = General

winlog.event_data.param1
Endpoint: xxxx
Endpoint IP: 10.10.0.90
Domain: Agents
Date/Time: 21.09.2020 09:25:57
Detailed information:
[HKTL_AUTOKMS]
Location = D:\Recovered data 02-10 14_07_13\Lost Partition\Users\Public\Documents\SPHE\downloads\Microsoft Office 2016 VL ProPlus English (x86-x64) June 2016\Office_2016_ProPlus_64Bit_EN_06.2016\Bonus\Microsoft Toolkit 2.6 BETA 5\Microsoft Toolkit.exe
Scan Type = File System
Threat Type = General
Risk Level = Low
Action Result = Cleaned
Location = D:\Recovered data 02-10 14_07_13\Lost Partition\KMSCleaner.exe
Scan Type = File System
Threat Type = General

andrewkroh · September 24, 2020, 9:06pm

In that case you'll have to parse it. You can add a dissect processor. For example:

winlogbeat.event_logs:
- name: foo
  processors:
  - dissect:
      when.equals.event.code: 1234
      tokenizer: "Endpoint: %{source.address}\nEndpoint IP: %{source.ip}\nDomain: %{foo}"
      field: "winlog.event_data.param1"

Pedro_77 · September 24, 2020, 10:47pm

I added to winlogbeat.yml config file but with no results. No errors on winlogbeat side. I did config to have the same amount of fields as log have but it didn't help. Also i removed condition for event.code = 500 but also without success. Is anything more which has to be configured?

winlogbeat.event_logs: 
  - 
    name: foo
    processors: 
      - 
        dissect: 
          field: message
          tokenizer: |-
              Virus/Malware: %{virus}
              Endpoint: %{source.address}
              Endpoint IP: %{source.ip}
              Domain: %{domain}
              File: %{file}
              Date/Time: %{time.virus}
              Result: %{result}
          when.equals.event.code: 500

my test virus in events looks like this:

winlog.event_data.param1
Virus/Malware: Eicar_test_file
Endpoint: Sxx01
Endpoint IP: 10.10.10.7
Domain: Server\team\
File: C:\Users\xxx\AppData\Local\Microsoft\Windows\INetCache\IE\T1NL5DXZ\eicarcom2[1].zip (eicar.com)
Date/Time: 25.09.2020 00:23:59
Result: Quarantine
	
winlog.event_id 500

system · October 23, 2020, 12:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.