Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Winlogbeat] Features / Status / Roadmap #465

Closed
tbragin opened this issue Dec 7, 2015 · 18 comments
Closed

[Winlogbeat] Features / Status / Roadmap #465

tbragin opened this issue Dec 7, 2015 · 18 comments
Assignees

Comments

@tbragin
Copy link
Contributor

tbragin commented Dec 7, 2015

See background here: https://github.com/elastic/filebeat/issues/130
And current status here: https://github.com/elastic/winlogbeat/issues/1

@andrewkroh
Copy link
Member

andrewkroh commented Dec 9, 2015

Winlogbeat Status Tracking

Updated: 2019-12-20

This issue tracks the overall status of the effort. We can open separate issues to discuss individual features in depth.

Features

Performance

  • Share a single cache for message file handles.
  • Add SID to name/domain/type caching.
  • Asynchronous event publishing like Filebeat.
  • Share a set of buffers between all event logs so that memory usage does not
    grow linearly with the number of logs being monitored.
  • Optimize the slow methods (I suspect they are getStrings and
    utf16ToString).

Type Safety

  • Investigate removing unsafe from eventlog_windows.go by parsing the buffer.

Test cases

@elvarb
Copy link

elvarb commented Dec 9, 2015

Is it necessary to do regex filtering on the event? I'm pretty sure you can get all event field values as objects, fields you don't see in the event viewer but are special objects still.

@andrewkroh
Copy link
Member

@elvarb I am not proposing regex filtering the event as a whole. I am proposing regex filtering based on the text of the event's message field.

@elvarb
Copy link

elvarb commented Dec 9, 2015

That's what I'm pointing out, you don't have to. For example if a user1 adds user2 to group1 the message field will say that. But also in the event are special fields like the eventid that are called something along the lines of param1, param2 and so on. The message field is an attempt to make the event human readable, and I truly mean an attempt.

@elvarb
Copy link

elvarb commented Dec 9, 2015

https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1074&EvtSrc=User32&LCID=1033

Here is an example that is showing what I mean, see the variables named %1,%2 and so on.

That url is a great resource, change the url parameters to get different events

@andrewkroh
Copy link
Member

@elvarb Are you saying that regex based filtering is not required if Winlogbeat supports Event ID based filtering since each message is really just derived from a parameterized message template that is given by Event ID + Event Source?

@elvarb
Copy link

elvarb commented Dec 14, 2015

@andrewkroh Exactly, or I at least hope so. The reference to those fields are all over in the Windows documentation and I know that nxlog can read those fields.

Here is another example https://msdn.microsoft.com/en-us/library/aa368560(v=vs.85).aspx

And how to write event logs using parameters https://msdn.microsoft.com/en-us/library/windows/hardware/ff566411(v=vs.85).aspx

And code examples how to get those insertation strings
https://msdn.microsoft.com/en-us/library/windows/desktop/bb427356(v=vs.85).aspx

I have created regex for various windows event logs coming through OSSEC, which is always full text, not fun and prone to regex errors because of unexpected reasons. Try to avoid regex as much as you can.

In my logstash config I am also using the translate filter for various Windows events to translate from specific codes to human readable text. For example logon type:

"2": Interactive
"3": Network
"4": Batch
"5": Service
"7": Unlock
"8": NetworkClearText
"9": NewCredentials
"10": RemoteInteractive
"11": CachedInteractive

Would be fantastic if beats could do this to on the host level instead of having Logstash do this for well known native codes. (for some cases it is still better to do it in Logstash, custom filters and so on)

@davidhowell-tx
Copy link

You've probably already figured this out, but thought I would add some additional context to elvarb's comments from my non-programmer point of view. You can see the individual fields and values within the event log object in a few methods:

In Event Viewer, the XML View has an EventData node with the individual keys and values, and the message is just a more descriptive representation of the EventData values.

In PowerShell the individual values are accessible in the "Properties" Property. You can see this when you run the following:
$Z = Get-WinEvent -LogName Security -MaxEvents 1
$Z.Message
$Z.Properties

or with:
$Z = Get-EventLog -LogName Security -Newest 1
$Z.Message
$Z.ReplacementStrings

I hope that is helpful, I would really love to see this improvement so I can reduce my logstash parsing a bit.

@andrewkroh
Copy link
Member

The above comment is related to the feature requested in #1053.

@andrewkroh andrewkroh changed the title Winlogbeat - Beat for collecting Windows Event Log information Winlogbeat - Features / Status / Roadmap Mar 31, 2016
@mtmcgrew
Copy link

Reading in .evtx sounds amazing. I'm sure lots of people in the security community would love that!

@tomrade
Copy link

tomrade commented Sep 7, 2017

Currently we have an internal python based solution for offline files using python-evtx , which uses an Event ID yaml library but for beats these may be useful. Its worth nothing that your YAML might need to nested as different event channels will reuse eventids eg security , system etc

evtx go library
https://github.com/0xrawsec/golang-evtx

evtx event id database tool with example output
https://github.com/iadgov/Windows-Event-Log-Messages

@monicasarbu monicasarbu removed the v1.1.0 label May 4, 2018
@andrewkroh
Copy link
Member

Here's and MIT licensed evtx parser I found that we could try: https://github.com/dutchcoders/evtxparser

The https://github.com/0xrawsec/golang-evtx project is GPL so it's incompatible with Apache 2.0.

@PChou
Copy link
Contributor

PChou commented Sep 4, 2018

I think reading .evt and .evtx files can be done with Microsoft native api(EvtQuery, EvtSeek,EvtNext ,EvtClose),
I am working on it, but since we need support glob path(like C:\Windows\System32\winevt\Logs*) and other features, it seems to be a filebeat type instead of winlogbeat module.
checkout:
PChou@d9e9523

@andrewkroh andrewkroh changed the title Winlogbeat - Features / Status / Roadmap [Winlogbeat] Features / Status / Roadmap Sep 18, 2018
@m4rcu5
Copy link

m4rcu5 commented Nov 20, 2018

@PChou I've compiled your branch and just imported 47 archived evtx files (45GB on disk). It worked like a charm. I did notice when extending the glob to all 5 thousand files in the folder, that winlogbeat did choke, causing floods of messages about the event api being to busy.

Looking forward for this feature to make it into release 😄
We archive our Windows Events onto a central WEC server, which archives the logs into 500MB chunks. At the moment, that means, if you halt the Winlogbeat process for a couple of minutes, you will loose logs due to the rotation.

@mgoritzk
Copy link

mgoritzk commented Mar 5, 2019

+1

@urso
Copy link

urso commented Dec 6, 2019

@andrewkroh How relevant is this old meta issue?

@mgoritzk
Copy link

mgoritzk commented Dec 6, 2019

It's still relevant. Currently we need to execute complex grok parsing with Logstash to make the output pretty.

@ruflin
Copy link
Contributor

ruflin commented Apr 5, 2022

I'm closing this general meta issue. In the meantime lots of changes happen. Lets track additional efforts for winlogbeat in separate issues. Many of them are already linked above.

@ruflin ruflin closed this as completed Apr 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests