AnsweredAssumed Answered

Get Win Message into Description field - WinEventToCPLog

Question asked by Lukas Nagy on Sep 25, 2017
Latest reply on Feb 28, 2018 by rmsource Check Point Support

Hello,

 

I am trying out importing Windows Events log into Check Point Management server. Logs are going in without problem, using WinEventToCPLog agent, however I want to map fields from Win Event to Check Point field. I've followed How to map Windows Events fields to Check Point log fields however, I was only successful mapping fields with value from debug after '%' sign.

 

Here is my map field configuration:

# User Login Successful Mapping
(
     : ("Microsoft-Windows-Security-Auditing:4624"
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# User initiated logoff

     : ("Microsoft-Windows-Security-Auditing:4647"
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )

# An account was logged off

     : ("Microsoft-Windows-Security-Auditing:4634"
          : (%2
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )          
     )


# User Login Failure Mapping

     : ("Microsoft-Windows-Security-Auditing:4625"
          : (%6
               :field_name ("User")
               :field_type ()
          )
          : ("Win Message"
               :field_name ("Description")
               :field_type ()
          )
     )
)

Here is a screen from management server

Details of log message:

 

User was sucessfully mapped, however Win Message is not. What should I write to mapping file to have Win Message in Description? Or other fields, such as EventID would be nice too.

 

Thanks.

Outcomes