metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Sirota (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (METRON-165) Create Windows Syslog Parser
Date Thu, 02 Jun 2016 05:39:59 GMT

     [ https://issues.apache.org/jira/browse/METRON-165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

James Sirota updated METRON-165:
--------------------------------
    Assignee: Casey Stella

> Create Windows Syslog Parser
> ----------------------------
>
>                 Key: METRON-165
>                 URL: https://issues.apache.org/jira/browse/METRON-165
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Deeptaanshu Kumar
>            Assignee: Casey Stella
>              Labels: ParserExtension
>
> Create a parser for Windows Sylog.
> Below are sample messages and their expected parsed output:
> <13> ABC 02/05/2016 09:54:39 AM
> LogName=Security
> SourceName=Microsoft Windows security auditing.
> EventCode=4624
> EventType=0
> Type=Information
> ComputerName=ABC.google.com
> TaskCategory=Logon
> OpCode=Info
> RecordNumber=112720121
> Keywords=Audit Success
> Message=An account was successfully logged on.
> Subject:
> 	Security ID:		NULL SID
> 	Account Name:		-
> 	Account Domain:		-
> 	Logon ID:		0x0
> Logon Type:			3
> New Logon:
> 	Security ID:		ABC
> 	Account Name:		ABC
> 	Account Domain:		ABC
> 	Logon ID:		0x4e149e04
> 	Logon GUID:		{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}
> Process Information:
> 	Process ID:		0x0
> 	Process Name:		-
> Network Information:
> 	Workstation Name:	
> 	Source Network Address:	10.0.0.0
> 	Source Port:		64340
> Detailed Authentication Information:
> 	Logon Process:		Kerberos
> 	Authentication Package:	Kerberos
> 	Transited Services:	-
> 	Package Name (NTLM only):	-
> 	Key Length:		0
> This event is generated when a logon session is created. It is generated on the computer
that was accessed.
> The subject fields indicate the account on the local system which requested the logon.
This is most commonly a service such as the Server service, or a local process such as Winlogon.exe
or Services.exe.
> The logon type field indicates the kind of logon that occurred. The most common types
are 2 (interactive) and 3 (network).
> The New Logon fields indicate the account for whom the new logon was created, i.e. the
account that was logged on.
> The network fields indicate where a remote logon request originated. Workstation name
is not always available and may be left blank in some cases.
> The authentication information fields provide detailed information about this specific
logon request.
> 	- Logon GUID is a unique identifier that can be used to correlate this event with a
KDC event.
> 	- Transited services indicate which intermediate services have participated in this
logon request.
> 	- Package name indicates which sub-protocol was used among the NTLM protocols.
> 	- Key length indicates the length of the generated session key. This will be 0 if no
session key was requested.
> Here is the sample output:
> {"computer_name":"ABC.google.com","keywords":"Audit Success","log_name":"Security","record_number":"112720121","device_generated_timestamp":1454666079000,"source_type":"Windows
Syslog","message":"An account was successfully logged on.\nSubject:\n\tSecurity ID:\t\tNULL
SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew
Logon:\n\tSecurity ID:\t\tABC\\ABC\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon
ID:\t\t0x4e149e04\n\tLogon GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess Information:\n\tProcess
ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network
Address:\t10.0.0.0\n\tSource Port:\t\t64340\nDetailed Authentication Information:\n\tLogon
Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage
Name (NTLM only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session is
created. It is generated on the computer that was accessed.\nThe subject fields indicate the
account on the local system which requested the logon. This is most commonly a service such
as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon
type field indicates the kind of logon that occurred. The most common types are 2 (interactive)
and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created,
i.e. the account that was logged on.\nThe network fields indicate where a remote logon request
originated. Workstation name is not always available and may be left blank in some cases.\nThe
authentication information fields provide detailed information about this specific logon request.\n\t-
Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t-
Transited services indicate which intermediate services have participated in this logon request.\n\t-
Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length
indicates the length of the generated session key. This will be 0 if no session key was requested.\n","type":"Information","op_code":"Info","original_string":"<13>
BNY387S1 02\/05\/2016 09:54:39 AM\nLogName=Security\nSourceName=Microsoft Windows security
auditing.\nEventCode=4624\nEventType=0\nType=Information\nComputerName=ABC.google.com\nTaskCategory=Logon\nOpCode=Info\nRecordNumber=112720121\nKeywords=Audit
Success\nMessage=An account was successfully logged on.\nSubject:\n\tSecurity ID:\t\tNULL
SID\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew
Logon:\n\tSecurity ID:\t\tABC$\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon
ID:\t\t0x4e149e04\n\tLogon GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess Information:\n\tProcess
ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network
Address:\t10.136.56.211\n\tSource Port:\t\t64340\nDetailed Authentication Information:\n\tLogon
Process:\t\tKerberos\n\tAuthentication Package:\tKerberos\n\tTransited Services:\t-\n\tPackage
Name (NTLM only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session is
created. It is generated on the computer that was accessed.\nThe subject fields indicate the
account on the local system which requested the logon. This is most commonly a service such
as the Server service, or a local process such as Winlogon.exe or Services.exe.\nThe logon
type field indicates the kind of logon that occurred. The most common types are 2 (interactive)
and 3 (network).\nThe New Logon fields indicate the account for whom the new logon was created,
i.e. the account that was logged on.\nThe network fields indicate where a remote logon request
originated. Workstation name is not always available and may be left blank in some cases.\nThe
authentication information fields provide detailed information about this specific logon request.\n\t-
Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t-
Transited services indicate which intermediate services have participated in this logon request.\n\t-
Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length
indicates the length of the generated session key. This will be 0 if no session key was requested.\n","event_type":"0","event_code":"4624","computer_name_simple":"ABC","ingest_timestamp":1463505709609,"task_category":"Logon","source_name":"Microsoft
Windows security auditing.","timestamp":1454666079000}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message