event_id - how to detect

[Ivan Kuncl]

I would like to detect group creation so I uncomented desired rule. When I debug sagan I see following:

[D] Data in _Sagan_Proc_Syslog (including extracted JSON)

[D] -----------------------------------------------------------------------------

[D]  * message: "  4727: A security-enabled global group was created. Subject: Security ID: S-1-5-21-3641769155-4107095991-1524253519-8107 Account Name: admXX Account Domain: COMPANY Logon ID: 0x4DCCB98 New Group: Security ID: S-1-5-21-3641769155-4107095991-1524253519-31254 Group Name: testGROUP Group Domain: COMPANY Attributes: SAM Account Name: testGROUP SID History: - Additional Information: Privileges: -"

[D]  * program: "Security"

[D]  * host: "1X.4.1XX.XX"

[D]  * level: "info"

[D]  * facility: "user"

[D]  * priority: "14"

[D]  * tag: "UNDEFINED"

[D]  * time: "07:18:29"

[D]  * date: "2021-01-28"

[D]  * src_ip : ""

[D]  * dst_ip : ""

[D]  * src_port : "0"

[D]  * dst_port : "0"

[D]  * proto : "0"

[D]  * ja3: ""

[D]  * event_id: "UNDEFINE"

[D]  * md5: ""

[D]  * sha1: ""

[D]  * sha256: ""

[D]  * filename: ""

[D]  * hostname: ""

[D]  * url: ""

[D]  * username: ""

So even if event_id 4727 is in the beginning of the message it isn't detected.

Can you help me where the problem can be?

Fragment of nxlog.conf is:

<Input eventlog>

    Module im_msvistalog

   Exec $Message = $EventID + ': ' + $Message;\

$Message =~ s/\t/ /g;\

$Message =~ s/\s\s+/ /g;

Sagan is version 2.0.1

Thank You

Ivan

[Da Beave]

Hmmm..   The output looks good.  Not sure why it's not parsing the event_id.  Let me see if I can replicate.

--
You received this message because you are subscribed to the Google Groups "sagan-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sagan-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sagan-users/fdcfa694-75c7-48d4-b0f6-ad4bf4a3e6f0n%40googlegroups.com.

[Da Beave]

Ivan, 

I was able to locate the issue.   I am guessing that you are using the Sagan JSON input module to parse NXLog data.

The JSON input module can look for a JSON field to pull the event_id from.   It appears you are using Sagan's JSON input module but are attempting to pull the event ID from the message rather than a JSON field.   There was a bug that prevented this from working.   It now checks to see if you have a "event_id" rule option.   If the rule option is enabled and the JSON input module is being used,  we look for an "event_id" in the JSON input mapping.  If the input mapping fails,  it will parse the "message" field for the event id.   This is where there was a bug. 

Since you are not parsing JSON for the Event ID,  when using the --debug json flag,  the "event_id" will still show NULL.   However, using the --debug engine flag,  you should see that the event_id gets picked up via Sagan parsing the message.  you can pass sagan "--debug json,engine" to see this.

I have pushed the fix up to Github.  Pull the latest version and test. I believe this should correct your issue.   If not,  please open an issue on Github and we'll get it sorted out.  Thank you for reporting this issue!

[Ivan Kuncl]

I tried the patch. Result is that the event_id is empty string. I opened the issue on Github

Best regards

Ivan

Dne čtvrtek 28. ledna 2021 v 18:01:11 UTC+1 uživatel Da Beave napsal: