How to count the account name and IP address of the Windows log?

[Jacky Qin]

Hi ,

There are many Windows account Alerts every day, for example, 18130-Windows: Logon Failure - Unknown user or bad password. 18152-Multiple Windows Logon Failures.

We want to count out which of these wrong account names, and the source network address.This information is available in full_log. I don't know how to extract them, can you help me?

2017 Apr 18 17:30:52 WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-1: An account failed to log on. Subject: Security ID: S-1-5-10 Account Name: WIN-1$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 10 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Santiago Account Domain: test2 Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0xb50 Caller Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: WIN-1 Source Network Address: 17.217.25.247 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It.

Best regards

Jacky Qin

[Juan Pablo Saez]

Hi Jacky,

Could you explain your use case a bit more?

I dont know if you want to ignore these alerts, block the IP's or just extract the data and put it in a file.

I hope i can help you soon. Best regards, 

Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

Sorry to reply late.

Straightforward, I want to put Acount Name and Source Network Address of full_log in wazuh-alerts-3.x-* of kibana.

Best regards

Jacky Qin
在 2019年9月12日星期四 UTC+8下午8:58:44，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi again Jacky,

Please follow the steps below to show these to fields on Wazuh Kibana app. This example is based on 7.x Kibana and seems like you have 6.x version. This is not a problem as the procedure remains the same:

• On Kibana Management, choose index patterns and choose the wazuh-alerts-3.x-* index:

• Then, inside the index, push the refresh button on the top right side:

That should be enough to see Account name as data.account_name and Source network address as data.srcip

Please, let me know if it helps. Best regards, 

Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

I've clicked the refresh button, but I have two questions.

1.Kibana has an error message.

blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];: [cluster_block_exception] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];

Error: blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];: [cluster_block_exception] blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];

    at https://10.129.3.46/bundles/commons.bundle.js?v=16602:1:391609

    at processQueue (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:132456)

    at https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:133349

    at Scope.$digest (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:144239)

    at Scope.$apply (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:147018)

    at done (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:100026)

    at completeRequest (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:104697)

    at XMLHttpRequest.xhr.onload (https://10.129.3.46/bundles/vendors.bundle.js?v=16602:106:105435)

2.data.account_name and data.srcip are already in wazuh-alerts-3.x-*, but they are missing fields.

Data. srcip is missing, I know, because sometimes the source network address in the Windows log is "-".Why is data. account_name missing?Can't extract Chinese logs from Windows system?

Best regards

Jacky Qin

在 2019年9月16日星期一 UTC+8下午11:04:49，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi again Jacky,

sorry for the late reply.

Data. srcip is missing, I know, because sometimes the source network address in the Windows log is "-".Why is data. account_name missing?Can't extract Chinese logs from Windows system?

I talked to the development team about this issue:

- Wazuh supports UTF-8 1 byte characters while chinese characters have a 3 byte internal representation. You can see it in the further table:

This 3 bytes character representation leads to error as Wazuh reads 3 characters for each chinese character.

We would like to do more testing: could you paste here some Chinese example events from /var/ossec/logs/archives/archives.log? This way we can try to create a decoder that allows you to extract the account name. We also want to evaluate if we need to open an issue to enhance our Chinese characters support and give you the best solution/workaround.

On the other hand, for what it's worth, in English Windows + Chinese lenguage pack environments, Wazuh decodes events properly as the events generated have english output.

I hope it helps. Best regards,

Juan Pablo Sáez

[Jacky Qin]

Hi Juan,

Sorry for the late reply.This is archives'Chinese log.The account name is "1".The source network address is "172.20.102.50".

Best regards

Jacky Qin

在 2019年9月25日星期三 UTC+8下午5:49:41，Juan Pablo Saez写道：

[Juan Pablo Saez]

Hi Jacky,

first of all, sorry for the late reply.

After some investigation, I have opened an issue in our Github repository since this is a problem that has no trivial solution. When our workflow allow us, the team will investigate how to correctly extract all the fields available in the Chinese version of Eventlog events. You can track the issue progress here.

I don't know if it's an option for you (I already mentioned this above) but English Windows with Chinese language package outputs its logs in English language.

Let me know if I can help you with something else.

Best regards, JP Sáez

[Jacky Qin]

Hi Juan,

Thank you very much for your help. I will keep track of this issue. Thanks again.

Best regards

Jacky Qin

在 2019年10月16日星期三 UTC+8下午6:53:00，Juan Pablo Saez写道：