Splunk Search

Windows System Event 6013 Decoding Binary XML Output to Retrieve Uptime Seconds

bray1111
Engager

Since we converted to using XML ingestion of Windows event logs, we have not been able to extract the uptime seconds for 6013 system uptime events due to the payload being encoded in binary.  I've tried some hex to decimal conversions and then decimal coded ASCII extraction but have not found anything that works that let's me identify the uptime seconds data in the payload.  Has anyone else ran into this and if so how did you solve it short of reverting back to Classic event log ingestion?

log entry:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='EventLog'/><EventID Qualifiers='32768'>6013</EventID><Level>4</Level><Task>0</Task><Keywords>0x80000000000000</Keywords><TimeCreated SystemTime='2021-09-20T21:36:11.000000000Z'/><EventRecordID>1577535</EventRecordID><Channel>System</Channel><Computer>server.domain</Computer><Security/></System><EventData><Data></Data><Data></Data><Data></Data><Data></Data><Data>35</Data><Data>60</Data><Data>480 Pacific Standard Time</Data><Binary>31002E003100000030000000570069006E0064006F007700730020005300650072007600650072002000320030003100320020005200320020004400610074006100630065006E00740065007200000036002E0033002E00390036003000300020004200750069006C006400200039003600300030002000200000004D0075006C0074006900700072006F0063006500730073006F00720020004600720065006500000039003600300030002E00770069006E0062006C00750065005F006C007400730062002E003200310030003700300039002D00310037003000300000003500640065003900320064003800650000004E006F007400200041007600610069006C00610062006C00650000004E006F007400200041007600610069006C00610062006C006500000039000000380000003300320037003600380000003400300039000000430041004D00530044004200310032002E007A00620063002E0069006E007400650072006E0061006C0000000000</Binary></EventData></Event>

Labels (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!