Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lukas_Nagy
Participant

Get Win Message into Description field - WinEventToCPLog

Hello,

I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.

Here is my map field configuration:

# User Login Successful Mapping(     : ("Microsoft-Windows-Security-Auditing:4624"           : (%6               :field_name ("User")               :field_type ()          )          : ("Win Message"               :field_name ("Description")               :field_type ()          )     )# User initiated logoff     : ("Microsoft-Windows-Security-Auditing:4647"           : (%2               :field_name ("User")               :field_type ()          )          : ("Win Message"               :field_name ("Description")               :field_type ()          )     )# An account was logged off      : ("Microsoft-Windows-Security-Auditing:4634"           : (%2               :field_name ("User")               :field_type ()          )          : ("Win Message"               :field_name ("Description")               :field_type ()          )               )# User Login Failure Mapping     : ("Microsoft-Windows-Security-Auditing:4625"           : (%6               :field_name ("User")               :field_type ()          )          : ("Win Message"               :field_name ("Description")               :field_type ()          )     ))‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Here is a screen from management server

Details of log message:

User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.

Thanks.

4 Replies
Hugo_vd_Kooij
Advisor

You have an empty vaule in the field_type() call. That should be string.

For example:

(
   : ("Microsoft-Windows-Security-Auditing:4624"
      : (%6
         :field_name (User)
         
:field_type (string)
      )    )

)
<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Lukas_Nagy
Participant

Hi,

from the comments at the top of configuration, it is said that field_type () is by default string. I can see it worked for User field (as I can see that mapped in log), problem is when I try to map fields that don't start with '%{number}'. To be sure, I've added string field type everywhere, but nothing have changed. 

Here is example from debug when starting WinEventToCPLog.exe -d (windowEvent0.log) to find the field names to map:

---------------------------------------------------------------------------Reading internal event number: 23725Wed Sep 27 07:34:34 2017Security EventID:     4624 EventTime:     4624%1 = S-1-0-0%2 = -%3 = -%4 = 0x0%5 = S-1-5-21-2211272001-3120902545-1089152063-500%6 = Administrator%7 = NILFISK-LAB-ADM%8 = 0x70ba991%9 = 3%10 = NtLmSsp %11 = NTLM%12 = PRGNTBLN02%13 = {00000000-0000-0000-0000-000000000000}%14 = -%15 = NTLM V2%16 = 128%17 = 0x0%18 = -%19 = -%20 = -%21 = %%1833Win Message(string):     An account was successfully logged on.Security ID(string):     S-1-0-0Account Name(string):     -Account Domain(string):     -Logon ID(string):     0x0Logon Type(string):     3Impersonation Level(string):     Security ID1(string):     S-1-5-21-2211272001-3120902545-1089152063-500User(string):     AdministratorAccount Domain1(string):     NILFISK-LAB-ADMLogon ID1(string):     0x70ba991Logon GUID(string):     {00000000-0000-0000-0000-000000000000}Process ID(string):     0x0Process Name(string):     -Workstation Name(string):     PRGNTBLN02Source Network Address(string):     -Source Port(string):     -Logon Process(string):     NtLmSspAuthentication Package(string):     NTLMTransited Services(string):     -Package Name (NTLM only)(string):     NTLM V2Key Length(string):     128Product(string):     Windows OSEvent Source File(string):     SecurityApplication(string):     Microsoft-Windows-Security-Auditing__orig(ipaddr):     10.8.86.20Computer(string):     Nilfisk-LAB-ADMINEvent Type(string):     Success Audit‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

So I can't map field on line 28 to Check Point log, it only shows in More section when I open the log. 

Hugo_vd_Kooij
Advisor

You can only Map %1 up to %21 to LEA field names.

According to the Debug work you have done this for the User field because it contains the value from %2.

Which other fields from the numbered fields might be usefull?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
rmsource_dotcom
Participant

According to the file comments the default is string;

"

# For example,
# : (Security # Event source
# : ("User Name" # Microsoft Event field name, quotes are necessary for space in the name
# :field_name (User) # Check Point log server field name
# :field_type () # Check Point log server Field type (default is string)"

Are you saying that it must be defined explicitly?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events