[
https://issues.apache.org/jira/browse/METRON-165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Sirota updated METRON-165:
--------------------------------
Labels: ParserExtension (was: )
> Create Windows Syslog Parser
> ----------------------------
>
> Key: METRON-165
> URL: https://issues.apache.org/jira/browse/METRON-165
> Project: Metron
> Issue Type: New Feature
> Reporter: Deeptaanshu Kumar
> Labels: ParserExtension
>
> Create a parser for Windows Sylog.
> Below are sample messages and their expected parsed output:
> <13> ABC 02/05/2016 09:54:39 AM
> LogName=Security
> SourceName=Microsoft Windows security auditing.
> EventCode=4624
> EventType=0
> Type=Information
> ComputerName=ABC.google.com
> TaskCategory=Logon
> OpCode=Info
> RecordNumber=112720121
> Keywords=Audit Success
> Message=An account was successfully logged on.
> Subject:
> Security ID: NULL SID
> Account Name: -
> Account Domain: -
> Logon ID: 0x0
> Logon Type: 3
> New Logon:
> Security ID: ABC
> Account Name: ABC
> Account Domain: ABC
> Logon ID: 0x4e149e04
> Logon GUID: {89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}
> Process Information:
> Process ID: 0x0
> Process Name: -
> Network Information:
> Workstation Name:
> Source Network Address: 10.0.0.0
> Source Port: 64340
> Detailed Authentication Information:
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Transited Services: -
> Package Name (NTLM only): -
> Key Length: 0
> This event is generated when a logon session is created. It is generated on
> the computer that was accessed.
> The subject fields indicate the account on the local system which requested
> the logon. This is most commonly a service such as the Server service, or a
> local process such as Winlogon.exe or Services.exe.
> The logon type field indicates the kind of logon that occurred. The most
> common types are 2 (interactive) and 3 (network).
> The New Logon fields indicate the account for whom the new logon was created,
> i.e. the account that was logged on.
> The network fields indicate where a remote logon request originated.
> Workstation name is not always available and may be left blank in some cases.
> The authentication information fields provide detailed information about this
> specific logon request.
> - Logon GUID is a unique identifier that can be used to correlate this
> event with a KDC event.
> - Transited services indicate which intermediate services have
> participated in this logon request.
> - Package name indicates which sub-protocol was used among the NTLM
> protocols.
> - Key length indicates the length of the generated session key. This
> will be 0 if no session key was requested.
> Here is the sample output:
> {"computer_name":"ABC.google.com","keywords":"Audit
> Success","log_name":"Security","record_number":"112720121","device_generated_timestamp":1454666079000,"source_type":"Windows
> Syslog","message":"An account was successfully logged
> on.\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount
> Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew Logon:\n\tSecurity
> ID:\t\tABC\\ABC\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon
> ID:\t\t0x4e149e04\n\tLogon
> GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess
> Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork
> Information:\n\tWorkstation Name:\t\n\tSource Network
> Address:\t10.0.0.0\n\tSource Port:\t\t64340\nDetailed Authentication
> Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication
> Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM
> only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session
> is created. It is generated on the computer that was accessed.\nThe subject
> fields indicate the account on the local system which requested the logon.
> This is most commonly a service such as the Server service, or a local
> process such as Winlogon.exe or Services.exe.\nThe logon type field indicates
> the kind of logon that occurred. The most common types are 2 (interactive)
> and 3 (network).\nThe New Logon fields indicate the account for whom the new
> logon was created, i.e. the account that was logged on.\nThe network fields
> indicate where a remote logon request originated. Workstation name is not
> always available and may be left blank in some cases.\nThe authentication
> information fields provide detailed information about this specific logon
> request.\n\t- Logon GUID is a unique identifier that can be used to correlate
> this event with a KDC event.\n\t- Transited services indicate which
> intermediate services have participated in this logon request.\n\t- Package
> name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key
> length indicates the length of the generated session key. This will be 0 if
> no session key was
> requested.\n","type":"Information","op_code":"Info","original_string":"<13>
> BNY387S1 02\/05\/2016 09:54:39 AM\nLogName=Security\nSourceName=Microsoft
> Windows security
> auditing.\nEventCode=4624\nEventType=0\nType=Information\nComputerName=ABC.google.com\nTaskCategory=Logon\nOpCode=Info\nRecordNumber=112720121\nKeywords=Audit
> Success\nMessage=An account was successfully logged
> on.\nSubject:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\t-\n\tAccount
> Domain:\t\t-\n\tLogon ID:\t\t0x0\nLogon Type:\t\t\t3\nNew Logon:\n\tSecurity
> ID:\t\tABC$\n\tAccount Name:\t\tABC\n\tAccount Domain:\t\tABC\n\tLogon
> ID:\t\t0x4e149e04\n\tLogon
> GUID:\t\t{89C4AB77-51D6-D17B-3EAD-BC8676D1A4D2}\nProcess
> Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\nNetwork
> Information:\n\tWorkstation Name:\t\n\tSource Network
> Address:\t10.136.56.211\n\tSource Port:\t\t64340\nDetailed Authentication
> Information:\n\tLogon Process:\t\tKerberos\n\tAuthentication
> Package:\tKerberos\n\tTransited Services:\t-\n\tPackage Name (NTLM
> only):\t-\n\tKey Length:\t\t0\nThis event is generated when a logon session
> is created. It is generated on the computer that was accessed.\nThe subject
> fields indicate the account on the local system which requested the logon.
> This is most commonly a service such as the Server service, or a local
> process such as Winlogon.exe or Services.exe.\nThe logon type field indicates
> the kind of logon that occurred. The most common types are 2 (interactive)
> and 3 (network).\nThe New Logon fields indicate the account for whom the new
> logon was created, i.e. the account that was logged on.\nThe network fields
> indicate where a remote logon request originated. Workstation name is not
> always available and may be left blank in some cases.\nThe authentication
> information fields provide detailed information about this specific logon
> request.\n\t- Logon GUID is a unique identifier that can be used to correlate
> this event with a KDC event.\n\t- Transited services indicate which
> intermediate services have participated in this logon request.\n\t- Package
> name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key
> length indicates the length of the generated session key. This will be 0 if
> no session key was
> requested.\n","event_type":"0","event_code":"4624","computer_name_simple":"ABC","ingest_timestamp":1463505709609,"task_category":"Logon","source_name":"Microsoft
> Windows security auditing.","timestamp":1454666079000}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
