Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsing Keys from EventData #110

Closed
BlakeHensleyy opened this issue Jun 18, 2024 · 2 comments · Fixed by #113
Closed

Parsing Keys from EventData #110

BlakeHensleyy opened this issue Jun 18, 2024 · 2 comments · Fixed by #113
Labels
enhancement

Comments

@BlakeHensleyy
Copy link
Contributor

Is there a way to parse EventData with the fields included rather than parsing the Description with the description fields?

I'd like to use the field names from EventData because NXlog is supported by my event collector and this is what NXlog does. For example, in the Security log 4624, is the EventData fields "TargetLogonId", "TargetUserName", and "TargetUserSid". While, parsed from the Description these fields are "new_logon_logon_id", "new_logon_account_name", and "new_logon_security_id". I was able to get the keys to be in Camel case without underscores by editing the to_key function:

def to_key(key)
     key.gsub!(' '.freeze, ''.freeze)
     key
 end

and by removing the period on line 392 to be:

k = "#{parent_key}#{to_key(key)}"

After these changes, the fields are "NewLogonLogonId", "NewLogonAccountName", and "TargetSubjectSecurityID" which still is not the desired field names. I've realized that what I want is probably only achievable from the XML Key values in the Windows events by default.

Is there a configuration setting that achieves this? Or should I attempt my own implementation of it?
I would also be ok with solution described in issue #95, if that goes anywhere.
@BlakeHensleyy BlakeHensleyy changed the title Parsing Fields from EventData Parsing Keys from EventData Jun 18, 2024
@daipom
Copy link
Contributor

daipom commented Jun 19, 2024

Thanks for the report. I understand the issue, as well as #95.

I've realized that what I want is probably only achievable from the XML Key values in the Windows events by default.

We would need the #95 feature for this, but it would not be possible now, as I commented on #95 (comment).
Please let us know if you know how to use Win32 API to take the Data Name of EventData.

I was able to get the keys to be in Camel case without underscores by editing the to_key function

It would not be enough for this issue, but if you need this feature, we should improve this plugin.
Welcome to PR!

@BlakeHensleyy
Copy link
Contributor Author

Thanks for the response, @daipom!

I'm also not sure how to use the API to take the Data Name of EventData. I did try looking into the Winlogbeat source code because I know that Winlogbeat, like NXlog, does parse the EventData. While I do believe something useful for fluent-plugin-windows-eventlog2 could be gleaned from this, I'm just not sure how to identify and implement it.

Currently I have very little Ruby and general API experience, but in the future if I have the time to look further into this then I'll give it a try.

@daipom daipom mentioned this issue Jul 8, 2024
Merged
@daipom daipom linked a pull request Jul 8, 2024 that will close this issue
Add Delimiter and Casing options for parsing #113
Merged
@ashie ashie closed this as completed in #113 Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Delimiter and Casing options for parsing
2 participants
@daipom @BlakeHensleyy