This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Lukas_Nagy
Participant
‎2017-09-25 08:02 AM

Get Win Message into Description field - WinEventToCPLog

Hello,

I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.

Here is my map field configuration:

# User Login Successful Mapping
(
     : ("Microsoft-Windows-Security-Auditing:4624" 
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# User initiated logoff

     : ("Microsoft-Windows-Security-Auditing:4647" 
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# An account was logged off 

     : ("Microsoft-Windows-Security-Auditing:4634" 
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )          
     )


# User Login Failure Mapping

     : ("Microsoft-Windows-Security-Auditing:4625" 
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )
)

Here is a screen from management server

Details of log message:

User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.

Thanks.

4 Replies
Hugo_vd_Kooij
Advisor
‎2017-09-27 06:08 AM

You have an empty vaule in the field_type() call. That should be string.

For example:

(
   : ("Microsoft-Windows-Security-Auditing:4624"
      : (%6
         :field_name (User)
         :field_type (string)
      )    )
)
<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Lukas_Nagy
Participant
‎2017-09-27 07:00 AM
In response to Hugo_vd_Kooij

Hi,

from the comments at the top of configuration, it is said that field_type () is by default string. I can see it worked for User field (as I can see that mapped in log), problem is when I try to map fields that don't start with '%{number}'. To be sure, I've added string field type everywhere, but nothing have changed. 

Here is example from debug when starting WinEventToCPLog.exe -d (windowEvent0.log) to find the field names to map:

---------------------------------------------------------------------------
Reading internal event number: 23725
Wed Sep 27 07:34:34 2017
Security
 EventID:     4624
 EventTime:     4624
%1 = S-1-0-0
%2 = -
%3 = -
%4 = 0x0
%5 = S-1-5-21-2211272001-3120902545-1089152063-500
%6 = Administrator
%7 = NILFISK-LAB-ADM
%8 = 0x70ba991
%9 = 3
%10 = NtLmSsp 
%11 = NTLM
%12 = PRGNTBLN02
%13 = {00000000-0000-0000-0000-000000000000}
%14 = -
%15 = NTLM V2
%16 = 128
%17 = 0x0
%18 = -
%19 = -
%20 = -
%21 = %%1833
Win Message(string):     An account was successfully logged on.
Security ID(string):     S-1-0-0
Account Name(string):     -
Account Domain(string):     -
Logon ID(string):     0x0
Logon Type(string):     3
Impersonation Level(string):     
Security ID1(string):     S-1-5-21-2211272001-3120902545-1089152063-500
User(string):     Administrator
Account Domain1(string):     NILFISK-LAB-ADM
Logon ID1(string):     0x70ba991
Logon GUID(string):     {00000000-0000-0000-0000-000000000000}
Process ID(string):     0x0
Process Name(string):     -
Workstation Name(string):     PRGNTBLN02
Source Network Address(string):     -
Source Port(string):     -
Logon Process(string):     NtLmSsp
Authentication Package(string):     NTLM
Transited Services(string):     -
Package Name (NTLM only)(string):     NTLM V2
Key Length(string):     128
Product(string):     Windows OS
Event Source File(string):     Security
Application(string):     Microsoft-Windows-Security-Auditing
__orig(ipaddr):     10.8.86.20
Computer(string):     Nilfisk-LAB-ADMIN
Event Type(string):     Success Audit

So I can't map field on line 28 to Check Point log, it only shows in More section when I open the log. 

Hugo_vd_Kooij
Advisor
‎2017-09-27 08:43 AM
In response to Lukas_Nagy

You can only Map %1 up to %21 to LEA field names.

According to the Debug work you have done this for the User field because it contains the value from %2.

Which other fields from the numbered fields might be usefull?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
rmsource_dotcom
Participant
‎2018-02-28 12:29 PM
In response to Hugo_vd_Kooij

According to the file comments the default is string;

"

# For example,
# : (Security # Event source
# : ("User Name" # Microsoft Event field name, quotes are necessary for space in the name
# :field_name (User) # Check Point log server field name
# :field_type () # Check Point log server Field type (default is string)"

Are you saying that it must be defined explicitly?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events