Getting Data In

Extract-Display the Details Tab from windows event logs

Path Finder

I have an issue that honestly may not be possible using splunk but I wanted to reach out for some advice because you guys on here have been awesome in helping me with search issues in the past.

we have an On Prem CA (Certificate Authority) Server which is currently using a powershell script to send email alerts when certificates are close to expiring and that PS Script is doing this using an internal Unauthenticated Relay. we are eliminating Unauthenticated relay from our network and we also prefer not to have a PS Script running on our DC with CA.

I have been tasked with seeing if we can use splunk instead to send an alert.

Windows does log events related to certificates.

those events are located in Windows Event Logs in the location below:

Applications and Services Logs\Microsoft\Windows\CertificateServicesClient-Lifecycle-System

I have managed to add those logs to my inputs.conf for my Splunk_TA_Windows app and I have successfully searched for those event logs and they appear okay.

unfortunately the logs I get only show me the event message which tells you the certificate is going to expire. the specifics about which certificate and its information are contained in those events on the "Details" tab when viewing them in the windows event monitor but that data is not included in the log data I am getting in splunk.

I next tried to add the RenderXml = true statement 

that did update the data in the logs but it is mostly jibberish and I still cannot see or find the certificate information we need.

here is an example my splunk search

host="myhost" EventCode=1003 OR SourceName="Microsoft-Windows-CertificateServicesClient-Lifecycle-System"
| table Message

here is what the search displays with my inputs.conf set with RenderXml = true

The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status= 1: b3ca044e-a358-4d68-9883-aaa2941aca99, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x4004F040 257868)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )]

here is what it displays with my inputs.conf set with RenderXml = false

A certificate is about to expire. Please refer to the "Details" section for more information.

 

and here is what the actual event is in windows event viewer under the General & the Details tabs

General tab

A certificate is about to expire. Please refer to the "Details" section for more information.

Details

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Microsoft-Windows-CertificateServicesClient-Lifecycle-System" Guid="{bc0669e1-a10d-4a78-834e-1ca3c806c93b}" />

  <EventID>1003</EventID>

  <Version>0</Version>

  <Level>3</Level>

  <Task>0</Task>

  <Opcode>0</Opcode>

  <Keywords>0x8000000000000000</Keywords>

  <TimeCreated SystemTime="2018-12-27T11:15:51.381679900Z" />

  <EventRecordID>860</EventRecordID>

  <Correlation />

  <Execution ProcessID="3224" ThreadID="5160" />

  <Channel>Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational</Channel>

  <Computer>mycaserver.ad.mydomain.com</Computer>

  <Security UserID="S-1-5-18" />

  </System>

- <UserData>

- <CertNotificationData ProcessName="taskhost.exe" AccountName="MYDOMAIN\MYCASERVER$" Context="Machine">

- <CertificateDetails Thumbprint="3c970c5b2cf467189c64cd38a8b5c28d4615b1f7">

- <SubjectNames>

  <SubjectName>C=US, S=MyState, L=My City, O="My Org, Inc.", CN=myCAServer.ad.mydomain.com</SubjectName>

  <SubjectName>cbiad2.ad.clickbond.com</SubjectName>

  <SubjectName>ad.mydomain.com</SubjectName>

  <SubjectName>auth.ad.mydomain.com</SubjectName>

  </SubjectNames>

- <EKUs>

  <EKU Name="Server Authentication" OID="1.3.6.1.5.5.7.3.1" />

  <EKU Name="Client Authentication" OID="1.3.6.1.5.5.7.3.2" />

  </EKUs>

  <NotValidAfter>2019-01-04T12:00:00Z</NotValidAfter>

  </CertificateDetails>

  </CertNotificationData>

  </UserData>

  </Event>


my goal is to create a search that can be used to alert us when one of these events triggers as well as include pertinent information to identify which certificate is expiring and when.

if nobody can help with this I totally understand as I am starting to feel like what we are wanting to do is just not possible with these events and splunk.

 

 

Labels (2)
0 Karma