-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Events Not Being Decoded With Eventchanel #224
Comments
Seeing this issue as well with the 2.8 client. Logs with new lines in them from the System, application, and security logs are sent ok. But, when using eventchannel to subscribe the OSSEC client to an Application and Services log each line of a multi-line event is treated as a seperate log entry. For example event ID 1149 in the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. 2014 Aug 20 13:33:13 (testServer) 1.2.3.4->WinEvtLog 2014 Aug 20 09:33:13 WinEvtLog: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational: Information(1 User: username |
@gaelmuller Any chance you could take a look at this? Seems like a fairly significant issue. |
What can I do to help get this issue fixed? |
If you know C programming drive in. Some Google and playing around and it could be solved. If you don't know C, but still want to help and are willing to learn C. I will help and where I can and we can do pair programming over the internet on this problem and some other problems that simpler and easier to being someone up to speed with. Not enough time yourself you can start looking for people that might want to help in the above two ways. I will do just about anything I can help people get up to speed on development of ossec. |
Unfortunately I don't have strong C experience, nor the time to dive into it, but I could potentially offer a financial incentive to someone to take care of this... |
Sent you an email. |
Work toward fixing issue ossec#224. The event channel output was multiline which was causing issues for users. Found that the old event log code was getting subjected to some string manipulation that was removing newlines and replacing tabs after argument fields with spaces. Moved this code to a central location so both the old and new can be subjected to the same manipulation. Decided to call this function win_format_event_string(). Despite this change, the output from the two event log gathering methods still differs slightly. The old event log message seems to go through a few other things that can change the string liek FormatMessage(), which is a Windows system call. During a small amount of testing it did not appear the old event log gathering ever needed to have newlines removed and tabs replaced. It appears that either the logs are coming out that way or the formatting is being done somewhere previously in the code. Perhaps, FormatMessage() is doing it. That said, the event channel stuff certainly does get affected by win_format_event_string() so it more closely matches it's counterpart albeit not exactly.
I made a first pass at this over in awiddersheim@d890425. The output of the old Here is some sample output of the two right on top of one another. The
|
Made some more improvements to get these more close aligned. Here is what the latest output when using
There are still differences but they are mostly white space. I'm hoping they are able to handle that extra white space or can at least be made to. https://github.com/awiddersheim/ossec-hids/compare/fix_windows_event_channel I've been using nxlog pretty heavily as a source of inspiration and mostly a place to steal. They have some code to get the event types right that we might be able to use. |
Made some more changes. Think things are ready for inclusion into the main line OSSEC code. The differences between
|
Thanks for your work. This should benefit a lot of people. This is why the OSSEC log format needs to be standardized and documented. It's a bit ironic that third-party integrators would have to reverse-engineer the format considering the pain OSSEC decoder writers (myself included) have gone through trying to bring in support for other products. |
Yeah, I know @jrossi has been talking about coming up with a new standard using JSON and experimenting with better communication methods between the agents and the master. Perhaps something we can all sit down, figure out and implement in version 3.0 or something. That should help with adding new stuff in the future. |
I'm not sure my past offer to help with this was fully understood. It's either that or Jeremy and I simply disagree on how the project should be handled in this area, which is fine. My proposal was to create a simple written standard, similar to something like Arcsight CEF (but much, much simpler) that defines fields, delimiters, headers, data types, lengths and so on. That would hopefully prevent issues like this because the person implementing event channel would know, for example, that line feeds should not have been used, but perhaps tabs. JSON could go a long way here, but you still have to define field names, etc. and in the case of Windows at least, mappings. |
Closing this since #457 was merged which should address the original issue. |
When using eventchannel over eventlog, no Windows alerts will be logged in alerts.log and alerts sent. So, basically, it's not usable.
The issue seems to be that the log is sent in a multi-line format. From archives.log:
When using eventlog as the format, the line looks like this:
And everything works normally.
The text was updated successfully, but these errors were encountered: