- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Get Win Message into Description field - WinEventT...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Get Win Message into Description field - WinEventToCPLog
Hello,
I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.
Here is my map field configuration:
# User Login Successful Mapping( : ("Microsoft-Windows-Security-Auditing:4624" : (%6 :field_name ("User") :field_type () ) : ("Win Message" :field_name ("Description") :field_type () ) )# User initiated logoff : ("Microsoft-Windows-Security-Auditing:4647" : (%2 :field_name ("User") :field_type () ) : ("Win Message" :field_name ("Description") :field_type () ) )# An account was logged off : ("Microsoft-Windows-Security-Auditing:4634" : (%2 :field_name ("User") :field_type () ) : ("Win Message" :field_name ("Description") :field_type () ) )# User Login Failure Mapping : ("Microsoft-Windows-Security-Auditing:4625" : (%6 :field_name ("User") :field_type () ) : ("Win Message" :field_name ("Description") :field_type () ) ))
Here is a screen from management server
Details of log message:
User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have an empty vaule in the field_type() call. That should be string.
For example:
(
: ("Microsoft-Windows-Security-Auditing:4624"
: (%6
:field_name (User)
:field_type (string)
) )
)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
from the comments at the top of configuration, it is said that field_type () is by default string. I can see it worked for User field (as I can see that mapped in log), problem is when I try to map fields that don't start with '%{number}'. To be sure, I've added string field type everywhere, but nothing have changed.
Here is example from debug when starting WinEventToCPLog.exe -d (windowEvent0.log) to find the field names to map:
---------------------------------------------------------------------------Reading internal event number: 23725Wed Sep 27 07:34:34 2017Security EventID: 4624 EventTime: 4624%1 = S-1-0-0%2 = -%3 = -%4 = 0x0%5 = S-1-5-21-2211272001-3120902545-1089152063-500%6 = Administrator%7 = NILFISK-LAB-ADM%8 = 0x70ba991%9 = 3%10 = NtLmSsp %11 = NTLM%12 = PRGNTBLN02%13 = {00000000-0000-0000-0000-000000000000}%14 = -%15 = NTLM V2%16 = 128%17 = 0x0%18 = -%19 = -%20 = -%21 = %%1833Win Message(string): An account was successfully logged on.Security ID(string): S-1-0-0Account Name(string): -Account Domain(string): -Logon ID(string): 0x0Logon Type(string): 3Impersonation Level(string): Security ID1(string): S-1-5-21-2211272001-3120902545-1089152063-500User(string): AdministratorAccount Domain1(string): NILFISK-LAB-ADMLogon ID1(string): 0x70ba991Logon GUID(string): {00000000-0000-0000-0000-000000000000}Process ID(string): 0x0Process Name(string): -Workstation Name(string): PRGNTBLN02Source Network Address(string): -Source Port(string): -Logon Process(string): NtLmSspAuthentication Package(string): NTLMTransited Services(string): -Package Name (NTLM only)(string): NTLM V2Key Length(string): 128Product(string): Windows OSEvent Source File(string): SecurityApplication(string): Microsoft-Windows-Security-Auditing__orig(ipaddr): 10.8.86.20Computer(string): Nilfisk-LAB-ADMINEvent Type(string): Success Audit
So I can't map field on line 28 to Check Point log, it only shows in More section when I open the log.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can only Map %1 up to %21 to LEA field names.
According to the Debug work you have done this for the User field because it contains the value from %2.
Which other fields from the numbered fields might be usefull?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the file comments the default is string;
"
# For example,
# : (Security # Event source
# : ("User Name" # Microsoft Event field name, quotes are necessary for space in the name
# :field_name (User) # Check Point log server field name
# :field_type () # Check Point log server Field type (default is string)"
Are you saying that it must be defined explicitly?
