Extract full XML from Windows EventLog sent by UF

Cbr1sg — Fri, 18 Jan 2019 08:09:26 GMT

Hello all,
I have some events like this which are forwarded to Splunk from UF

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>5058</EventID><Version>0</Version><Level>0</Level><Task>12292</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2019-01-18T07:53:58.917178000Z'/><EventRecordID>24044556</EventRecordID><Correlation/><Execution ProcessID='580' ThreadID='22604'/><Channel>Security</Channel><Computer>xxx</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-20</Data><Data Name='SubjectUserName'>xxx</Data><Data Name='SubjectDomainName'>xxx</Data><Data Name='SubjectLogonId'>0x3e4</Data><Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data><Data Name='AlgorithmName'>UNKNOWN</Data><Data Name='KeyName'>20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020</Data><Data Name='KeyType'>%%2499</Data><Data Name='KeyFilePath'>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020</Data><Data Name='Operation'>%%2458</Data><Data Name='ReturnCode'>0x0</Data></EventData></Event>

my props.conf looks like this

[source::WinEventLog]
TZ = Europe/London
REPORT-xmlkv = xmlkv-alternative

my transforms.conf looks like this

[xmlkv-alternative]
REGEX = <([^\s\>]*)[^\>]*\>([^<]*)\<\/\1\>
FORMAT = $1::$2

the result i get for Data field is like this
S-1-5-20

What i expect from the Data field is like this

<Data Name='SubjectUserSid'>S-1-5-20</Data>
<Data Name='SubjectUserName'>xxx</Data>
<Data Name='SubjectDomainName'>xxx</Data>
<Data Name='SubjectLogonId'>0x3e4</Data>
<Data Name='ProviderName'>Microsoft Software Key Storage Provider</Data>
<Data Name='AlgorithmName'>UNKNOWN</Data>
<Data Name='KeyName'>20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020</Data>
<Data Name='KeyType'>%%2499</Data>
<Data Name='KeyFilePath'>C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020</Data>
<Data Name='Operation'>%%2458</Data>
<Data Name='ReturnCode'>0x0</Data>

Or (preferred)

'SubjectUserSid'=S-1-5-20
'SubjectUserName'=xxx
'SubjectDomainName'=xxx
'SubjectLogonId'=0x3e4
'ProviderName'=Microsoft Software Key Storage Provider
'AlgorithmName'=UNKNOWN
'KeyName'=20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020
'KeyType'=%%2499
'KeyFilePath'=C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\20edf1c5b7372d0abb08e7175c58b0f1_81e1b500-e237-4510-a356-3d55074d9020
'Operation'=%%2458
'ReturnCode'=0x0

Can this be done? Thanks

Re: Extract full XML from Windows EventLog sent by UF

a_m_s — Tue, 29 Sep 2020 22:50:01 GMT

Your "preferred" result :)-
event_source|rex field=_raw "(.?)>(.?))<\/Data>" max_match=20 | mvexpand a | rex field=result mode=sed "s/>/=/g"

Re: Extract full XML from Windows EventLog sent by UF

a_m_s — Mon, 21 Jan 2019 06:54:29 GMT

You can used spath also.You will get two fields.Use eval to concatenate the two fields.

Re: Extract full XML from Windows EventLog sent by UF

Cbr1sg — Tue, 22 Jan 2019 06:24:50 GMT

The rex in the screenshot works, thanks mate!

topic Re: Extract full XML from Windows EventLog sent by UF in Getting Data In

Extract full XML from Windows EventLog sent by UF

Re: Extract full XML from Windows EventLog sent by UF

Re: Extract full XML from Windows EventLog sent by UF

Re: Extract full XML from Windows EventLog sent by UF