topic Re: Windows Events Message field in Getting Data In

Windows Events Message field

be910j — Thu, 14 Nov 2013 17:21:48 GMT

Greetings,
We've been having an issue extracting a few fields in the following event specifically. This windows Event has the Message field containing the desired fields, the values for those desired fields however are carriage returned and evade the built in extraction tools as well as erex.

Full Event as it exists raw:

11/01/2013 02:23:15 PM
LogName=Directory Service
SourceName=Microsoft-Windows-ActiveDirectory_DomainService
EventCode=2889
EventType=4
Type=Information
ComputerName=*******
User=*****
Sid=***
SidType=*
TaskCategory=LDAP Interface
OpCode=None
RecordNumber=******
Keywords=Classic
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username

The particular values we wish to extract:

Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username

The built in utilities actually skip the 2 fields and only display the data up to the first carriage return between the message statement and Client IP address:, this may be why it also breaks erex, as the built in extractor just does not even see the data to attempt to learn the extraction.

Additionally, we have tried a few props transforms that I've seen floating around here, to aid in extracting values out of the Windows Message field, but those seem to have no change either on these 2 data fields with the carriage return.

Thanks!
Brandon

Added for luke below :
Sure thing, here it is right off that raw search, with various items redacted to make our security guy happy.

11/14/2013 11:35:11 AM LogName=Directory Service SourceName=Microsoft-Windows-ActiveDirectory_DomainService EventCode=2889 EventType=4 Type=Information ComputerName#### User=#### Sid#### SidType=5 TaskCategory=LDAP Interface OpCode=None RecordNumber=1681746 Keywords=Classic Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: ####:#### Identity the client attempted to authenticate as: #### \ ####

Re: Windows Events Message field

lukejadamec — Thu, 14 Nov 2013 17:31:04 GMT

Carriage returns don't affect the automatic extraction for any of my Windows Message fields, but I can't test this specific event. Can you post the _raw data for one such event?
EventCode=2889 | dedup EventCode | table _raw

Re: Windows Events Message field

lukejadamec — Thu, 14 Nov 2013 18:02:38 GMT

Try this:

EventCode=2889 |rex field=_raw ".*Client\sIP\saddress:\s+(?<ClientIPAddressPort>.*)\r\n" | rex field=_raw ".*authenticate\sas:\s+(?<DomainUsername>.*)\r\n"

Re: Windows Events Message field

be910j — Thu, 14 Nov 2013 18:11:35 GMT

Sweet, that got the IP:port working, the Domain\username still isn't showing up though. Just realized my raw snipet above removed the \ on that, so its attempted to authenticate as: space DOMAIN\username

Re: Windows Events Message field

lukejadamec — Thu, 14 Nov 2013 18:27:17 GMT

That should be working. \s stands for space. + means one or more.

Re: Windows Events Message field

be910j — Thu, 21 Nov 2013 19:39:49 GMT

Figured it out, it was just the trailing \r \n on the last extract, removed those and it works like a charm, has both fields completely extracted!
Thanks luke!
Brandon

Re: Windows Events Message field

landen99 — Tue, 29 Apr 2014 13:13:34 GMT

"Windows events message field extraction" is a much better title. I thought you were going to discuss the meanings of the fields themselves with your current title "Windows events message field"

Re: Windows Events Message field

buskeyl — Thu, 19 May 2022 03:13:58 GMT

I know this is a really old post, but this is exactly what I think I need to do. I am too much of a noob to follow this. Are you still out there?

Specifically, I want to search for Windows Security 4776 sucess events, deduplicate the list based on the value in the "Logon Account: UserX" string within the events message field. SO I think I need to extract the "Logon Event: UserX" sting so the filed is Logon Account: and the Dedup is applied to the value of that field