[jira] [Commented] (METRON-161) Create AD Parser

Tue, 17 May 2016 07:39:04 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15286736#comment-15286736
 ] 

Deeptaanshu Kumar commented on METRON-161:
------------------------------------------

Hi Casey,

Our logs do not contain the source IP, but they do provide the username for 
logon events in AD.

> Create AD Parser
> ----------------
>
>                 Key: METRON-161
>                 URL: https://issues.apache.org/jira/browse/METRON-161
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Deeptaanshu Kumar
>
> Create a parser for the Active Directory telemetry source. This data source 
> has 3 formats that should be parsed as specified below:
> Required Active Directory fields:
> dcName
> admonEventType
> description
> distinguishedName
> DC
> CN
> whenChanged
> whenCreated
> memberOf
> userAccountControl
> Sample Active Directory log message: 
> 04/11/2016 17:00:03.182
> dcName=wewewew.google.com
> admonEventType=Update
> Names:
> objectCategory=CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=google,DC=com
> name=CRA3
> distinguishedName=CN=CRA,CN=AzRoleObjectContainer-f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com
> cn=CRA
> Object Details:
> objectGUID=dd4fb895-3672-4f0c-bd73-f41f05205f37
> whenChanged=05:00.03 PM, Mon 04/11/2016
> whenCreated=04:59.49 PM, Mon 04/11/2016
> objectClass=top|msDS-AzRole
> Event Details:
> uSNChanged=1645647639
> uSNCreated=1645647635
> instanceType=4
> Additional Details:
> msDS-AzApplicationData=ptype=g
> msDS-TasksForAzRole=CN=role-Unix 
> Sysadmin,CN=AzTaskObjectContainer-636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com
> msDS-MembersForAzRole=CN=PAWS_ENVPR_DDEPROD_ADM,OU=Bigdata,OU=Groups,DC=google,DC=com
> dSCorePropagationData=16010101000000.0Z
> showInAdvancedViewOnly=TRUE
> Data after parsing: 
> { "timestamp": "April 11th 2016 17:00:03 (NOTE: Timezone unknown. Solve for 
> this)", "hostname": "wewewew", "dcName": "wewewew.google.com", 
> "admonEventType": "Update", "names.objectCategory": 
> "CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=google,DC=com", "names.name": 
> "CRA", "names.distinguishedName": 
> "CN=CRA,CN=AzRoleObjectContainer-f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com",
>  "names.cn": "CRA", "object.objectGUID": 
> "dd4fb895-3672-4f0c-bd73-f41f05205f37", "object.whenChanged": "05:00.03 PM, 
> Mon 04/11/2016", "object.whenCreated": "04:59.49 PM, Mon 04/11/2016", 
> "object.objectClass": "top|msDS-AzRole", "event.uSNChanged": "1645647639", 
> "event.uSNCreated": "1645647635", event.instanceType": "4", 
> "additional.msDS-AzApplicationData": "ptype=g", 
> "additional.msDS-TasksForAzRole": "CN=role-Unix 
> Sysadmin,CN=AzTaskObjectContainer-636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com",
>  "additional.msDS-MembersForAzRole": 
> "CN=PAWS_ENVPR_DDEPROD_ADM,OU=Bigdata,OU=Groups,DC=google,DC=com", 
> "additional.dSCorePropagationData": "16010101000000.0Z", 
> "additional.showInAdvancedViewOnly": "TRUE" }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to