This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lukas_Nagy
Participant
‎2017-09-25 08:02 AM

Get Win Message into Description field - WinEventToCPLog

Hello,

I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.

Here is my map field configuration:

# User Login Successful Mapping
(
     : ("Microsoft-Windows-Security-Auditing:4624" 
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# User initiated logoff

     : ("Microsoft-Windows-Security-Auditing:4647" 
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# An account was logged off 

     : ("Microsoft-Windows-Security-Auditing:4634" 
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )          
     )


# User Login Failure Mapping

     : ("Microsoft-Windows-Security-Auditing:4625" 
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )
)

Here is a screen from management server

Details of log message:

User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.

Thanks.

4 Replies
Hugo_vd_Kooij
Advisor
‎2017-09-27 06:08 AM

You have an empty vaule in the field_type() call. That should be string.

For example:

(
   : ("Microsoft-Windows-Security-Auditing:4624"
      : (%6
         :field_name (User)
         :field_type (string)
      )    )
)
Miracles happen while you wait. The impossible jobs take just a bit longer.
Lukas_Nagy
Participant
‎2017-09-27 07:00 AM
In response to Hugo_vd_Kooij

Hi,

from the comments at the top of configuration, it is said that field_type () is by default string. I can see it worked for User field (as I can see that mapped in log), problem is when I try to map fields that don't start with '%{number}'. To be sure, I've added string field type everywhere, but nothing have changed. 

Here is example from debug when starting WinEventToCPLog.exe -d (windowEvent0.log) to find the field names to map:

---------------------------------------------------------------------------
Reading internal event number: 23725
Wed Sep 27 07:34:34 2017
Security
 EventID:     4624
 EventTime:     4624
%1 = S-1-0-0
%2 = -
%3 = -
%4 = 0x0
%5 = S-1-5-21-2211272001-3120902545-1089152063-500
%6 = Administrator
%7 = NILFISK-LAB-ADM
%8 = 0x70ba991
%9 = 3
%10 = NtLmSsp 
%11 = NTLM
%12 = PRGNTBLN02
%13 = {00000000-0000-0000-0000-000000000000}
%14 = -
%15 = NTLM V2
%16 = 128
%17 = 0x0
%18 = -
%19 = -
%20 = -
%21 = %%1833
Win Message(string):     An account was successfully logged on.
Security ID(string):     S-1-0-0
Account Name(string):     -
Account Domain(string):     -
Logon ID(string):     0x0
Logon Type(string):     3
Impersonation Level(string):     
Security ID1(string):     S-1-5-21-2211272001-3120902545-1089152063-500
User(string):     Administrator
Account Domain1(string):     NILFISK-LAB-ADM
Logon ID1(string):     0x70ba991
Logon GUID(string):     {00000000-0000-0000-0000-000000000000}
Process ID(string):     0x0
Process Name(string):     -
Workstation Name(string):     PRGNTBLN02
Source Network Address(string):     -
Source Port(string):     -
Logon Process(string):     NtLmSsp
Authentication Package(string):     NTLM
Transited Services(string):     -
Package Name (NTLM only)(string):     NTLM V2
Key Length(string):     128
Product(string):     Windows OS
Event Source File(string):     Security
Application(string):     Microsoft-Windows-Security-Auditing
__orig(ipaddr):     10.8.86.20
Computer(string):     Nilfisk-LAB-ADMIN
Event Type(string):     Success Audit

So I can't map field on line 28 to Check Point log, it only shows in More section when I open the log. 

Hugo_vd_Kooij
Advisor
‎2017-09-27 08:43 AM
In response to Lukas_Nagy

You can only Map %1 up to %21 to LEA field names.

According to the Debug work you have done this for the User field because it contains the value from %2.

Which other fields from the numbered fields might be usefull?

Miracles happen while you wait. The impossible jobs take just a bit longer.
rmsource_dotcom
Participant
‎2018-02-28 12:29 PM
In response to Hugo_vd_Kooij

According to the file comments the default is string;

"

# For example,
# : (Security # Event source
# : ("User Name" # Microsoft Event field name, quotes are necessary for space in the name
# :field_name (User) # Check Point log server field name
# :field_type () # Check Point log server Field type (default is string)"

Are you saying that it must be defined explicitly?