Ad Widget

Collapse

Zabbix regexp preprocessing with event id log 4624 problem

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ester
    Junior Member
    • May 2021
    • 2
    #1

    Zabbix regexp preprocessing with event id log 4624 problem

    Hello everybody;
    I create item eventlog(Security,,,4624) and preprocessing then regular expression create. New Logon:abcd. It is okey but i adding Source Network Address is not runnig;
    Working regexp; https://regex101.com/r/1N1pOy/1 ; this regex for zabbix output \1\3 => New Logon:mcanbaz => it is working
    Not working regexp; https://regex101.com/r/SjWti4/1 ; this regex for zabbix output \1\3\7 => New Logon:mcanbaz 192.168.0.10 => it is not working
    Tags: None
    • Sebastian
      Member
      • Jul 2020
      • 33
      #2
      Hello ester, could you please post your exact configuration? I will try to recreate this.

        Comment

        • ester
          Junior Member
          • May 2021
          • 2
          #3
          Originally posted by Sebastian
          Hello ester, could you please post your exact configuration? I will try to recreate this.
          eventlog[Security,,,,4648]

          (New Logon(.*\n+.*\n+.|[\r\n\w:\s-]+)Account Name:\s+((?i)\b(?!System)[a-zA-Z0-9]+)(.*\n+.*\n+.*\n+.*\n+.*\n+.*\n+.*\n+.*\n+.*\n+.* \n+)(Network Information(.*\n+.*\n+.|[\r\n\w:\s-]+)Source Network Address:\s+((?i)\b(?!System)[\w.]+) \1\3\7

          eventlog:

          Log Name: Security
          Source: Microsoft-Windows-Security-Auditing
          Date: 06/05/2021 14:57:25
          Event ID: 4624
          Task Category: Logon
          Level: Information
          Keywords: Audit Success
          User: N/A
          Computer: WebServer04
          Description:
          An account was successfully logged on.

          Subject:
          Security ID: SYSTEM
          Account Name: WEBSERVER04$
          Account Domain: WORKGROUP
          Logon ID: 0x3E7

          Logon Information:
          Logon Type: 7
          Restricted Admin Mode: -
          Virtual Account: No
          Elevated Token: No

          Impersonation Level: Impersonation

          New Logon:
          Security ID: WEBSERVER04\mcanbaz
          Account Name: mcanbaz
          Account Domain: WEBSERVER04
          Logon ID: 0x3F24B81
          Linked Logon ID: 0x3F24B63
          Network Account Name: -
          Network Account Domain: -
          Logon GUID: {00000000-0000-0000-0000-000000000000}

          Process Information:
          Process ID: 0x614
          Process Name: C:\Windows\System32\svchost.exe

          Network Information:
          Workstation Name: WEBSERVER04
          Source Network Address: 192.168.0.10
          Source Port: 0

          Detailed Authentication Information:
          Logon Process: User32
          Authentication Package: Negotiate
          Transited Services: -
          Package Name (NTLM only): -
          Key Length: 0

          This event is generated when a logon session is created. It is generated on the computer that was accessed.

          The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

          The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

          The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

          The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

          The impersonation level field indicates the extent to which a process in the logon session can impersonate.

          The authentication information fields provide detailed information about this specific logon request.
          - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
          - Transited services indicate which intermediate services have participated in this logon request.
          - Package name indicates which sub-protocol was used among the NTLM protocols.
          - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
          Event Xml:
          <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
          <System>
          <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
          <EventID>4624</EventID>
          <Version>2</Version>
          <Level>0</Level>
          <Task>12544</Task>
          <Opcode>0</Opcode>
          <Keywords>0x8020000000000000</Keywords>
          <TimeCreated SystemTime="2021-05-06T11:57:25.145285700Z" />
          <EventRecordID>112238</EventRecordID>
          <Correlation ActivityID="{80931da6-4143-0001-071f-93804341d701}" />
          <Execution ProcessID="680" ThreadID="8644" />
          <Channel>Security</Channel>
          <Computer>WebServer04</Computer>
          <Security />
          </System>
          <EventData>
          <Data Name="SubjectUserSid">S-1-5-18</Data>
          <Data Name="SubjectUserName">WEBSERVER04$</Data>
          <Data Name="SubjectDomainName">WORKGROUP</Data>
          <Data Name="SubjectLogonId">0x3e7</Data>
          <Data Name="TargetUserSid">S-1-5-21-2305414523-2991885378-3430239152-1000</Data>
          <Data Name="TargetUserName">mcanbaz</Data>
          <Data Name="TargetDomainName">WEBSERVER04</Data>
          <Data Name="TargetLogonId">0x3f24b81</Data>
          <Data Name="LogonType">7</Data>
          <Data Name="LogonProcessName">User32 </Data>
          <Data Name="AuthenticationPackageName">Negotiate</Data>
          <Data Name="WorkstationName">WEBSERVER04</Data>
          <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
          <Data Name="TransmittedServices">-</Data>
          <Data Name="LmPackageName">-</Data>
          <Data Name="KeyLength">0</Data>
          <Data Name="ProcessId">0x614</Data>
          <Data Name="ProcessName">C:\Windows\System32\svchost.exe </Data>
          <Data Name="IpAddress">192.168.0.10</Data>
          <Data Name="IpPort">0</Data>
          <Data Name="ImpersonationLevel">%%1833</Data>
          <Data Name="RestrictedAdminMode">-</Data>
          <Data Name="TargetOutboundUserName">-</Data>
          <Data Name="TargetOutboundDomainName">-</Data>
          <Data Name="VirtualAccount">%%1843</Data>
          <Data Name="TargetLinkedLogonId">0x3f24b63</Data>
          <Data Name="ElevatedToken">%%1843</Data>
          </EventData>
          </Event>


          Click image for larger version Name: Ekran Alıntısı5.PNG Views: 2092 Size: 28.3 KB ID: 424156 Click image for larger version Name: Ekran Alıntısı6.PNG Views: 1983 Size: 36.1 KB ID: 424157

            Comment

            • Sebastian
              Member
              • Jul 2020
              • 33
              #4
              You can check with the following settings:

              I was able to recreate it on my installation and got it working well.

              Key:
              Code:
              eventlog[Security,,,,4624]
              RegEx:
              Code:
              New Logon:[^*]*Account Name:        (?!System)(.*)[^*]*Network Information:[^*]*(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}\b)
              Code:
              New Logon:\1 \2


              Last edited by Sebastian; 07-05-2021, 11:12.

                Comment

                • Wolfe263
                  Junior Member
                  • May 2021
                  • 1
                  #5
                  Count of matched lines in log file monitoring with log rotation support.

                  ElonOne
                  Last edited by Wolfe263; 18-05-2021, 06:42.

                    Comment

                    Previous template Next
                    Working...