So after searching here it seems like a lot of people have trouble parsing/handling WinEventLogs. I want to ask if there is no better way than custom transforms and props?
That might be a debatable...
See more...
So after searching here it seems like a lot of people have trouble parsing/handling WinEventLogs. I want to ask if there is no better way than custom transforms and props?
That might be a debatable question to some so I'll be more targeted. I'm trying to extract parts of the Message field, here's a sanitized example:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{xxxxx-xxxx-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-01-25T22:35:16.209857600Z'/><EventRecordID>840762295</EventRecordID><Correlation ActivityID='{D610E4E9-2C97-0000-12E5-10D6972CD901}'/><Execution ProcessID='704' ThreadID='2404'/><Channel>Security</Channel><Computer>dc01.domain.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>DOMAIN\okta_service</Data><Data Name='SubjectUserName'>okta_service</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x31198f</Data><Data Name='TargetUserSid'>DOMAIN\Bob.Saget</Data><Data Name='TargetUserName'>bob.saget</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetLogonId'>0x1578a0a1</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>DC01</Data><Data Name='LogonGuid'>{xxxxx-xx-D725-309C-788D104F655D}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x1658</Data><Data Name='ProcessName'>C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe</Data><Data Name='IpAddress'>1.2.3.4</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
Namely at the bottom, <Data Name='IpAddress'>1.2.3.4</Data>
Now Im still using renderXml = true because when you look at the raw type.. that Message field is just so huge and practically impossible to define a field to me. Unless I'm wrong? Also as per my inputs file, the sourcetype for this is 'generic_single_line'.
Now I've tried Regex, and Delimiters and both give me errors about either selecting too many fields, or in the case of Delimiters (when I attempts to specify other and '<>', an entirely unholy wall-of-text which this tiny blurb at the end:
has exceeded the configured depth_limit, consider raising the value in limits.conf.
Or Im going about this all wrong and raw is the easiest to deal with?
Any help would be greatly appreciated!