TargetUserName is not mapped to an indexed field

[AntonH]

Hello,

I'm using Wazuh and I don't know how to map TargetUserName to an indexed field.

Security events are generated but the associated username is not mapped so there is no way to search for or display the culprit.

The field marked yellow is not mapped or indexed.

Corresponding xml event from eventvwr

I'm using the ossec-agent to transport logs to Wazuh v2.0

I hope someone can help me.

[dan (ddp)]

On Fri, May 12, 2017 at 4:40 AM, AntonH <an...@inkcreations.com> wrote:
> Hello,
>
> I'm using Wazuh and I don't know how to map TargetUserName to an indexed
> field.
> Security events are generated but the associated username is not mapped so
> there is no way to search for or display the culprit.
>
> The field marked yellow is not mapped or indexed.
>
>

> Corresponding xml event from eventvwr
>
>

> I'm using the ossec-agent to transport logs to Wazuh v2.0
>
>
> I hope someone can help me.
>

It might be better to ask Wazuh about their project.

>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jesus Linares]

Hi AntonH,

you don't see TargetUserName in Kibana, because OSSEC decoders are not extracting that field. We will need to improve them.

Could you paste the raw log (full_log) here?. Once we update the decoders and you install them, the new events will come with the TargetUserName extracted.

Regards.

[Pedro Sanchez]

Hi AntonH,

I can see your full_log on Kibana screenshots, it seems like even OSSEC is not getting that field on the raw_log, meaning we are not extracting it from the EventChannel.

Currently OSSEC is not extracting all the fields detail on the XML, related code: https://github.com/wazuh/wazuh/blob/master/src/logcollector/read_win_event_channel.c#L738

Related issues / mails:

"OSSEC Windows Agent fails to extract data from some eventchannel events"

https://github.com/wazuh/wazuh/issues/101

"Potential Bug: Windows Security Event ID 5140 incorrectly parsed by OSSEC."
https://groups.google.com/forum/#!topic/ossec-list/GnA9qGZw9MU

"Bug in Windows ossec-agent: Windows event ID 4664 is misread."

https://groups.google.com/forum/#!topic/wazuh/OnHqGX8uml0

Mainly OSSEC is subscribing  to a certain channel, extracting some fields manually (name, id, source, uid, computer, level...) and adding to the event the string returned by calling Windows function EvtFormatMessage().

I am not sure right now how to get TargetUserName from the event log, but I will study it if I have some time.

As Jesus said, once we got that windows field in "full_log" field you will only need to add new decoders to extract it and populate it to Kibana.

Regards,

Pedro Sanche.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

[Jesus Linares]

Hi all,

I think there is a misunderstanding. According to your full_log, I can see 2 "Account name" fields, the first one is SubjectUserName, and the second one is TargetUserName. We are only extracting the SubjectUserName as Account name. So, if you paste here your log, I can improve the decoder to extract both fields.

Anyway, we are thinking how to improve OSSEC to extract all the windows fields automatically (using dynamic fields) with the proper name.

Regards.