cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
r_gine
Level 9
Report Inappropriate Content
Message 1 of 8

Windows Event Log Data Parsing (Packet Data)

Does anyone have any ideas why the "packet" data for this Windows Event log looks like this? I'm talking specifically about:

Security ID: %1
Account Name: %2
Account Domain: %3
etc, etc.

Screenshot shared below. 

These are workstatoin event logs that we are collection through Windows Event Forwarding going to a WEC server with a MEF agent installed and sending data to SIEM. 

 

2019-01-17_17-05-00.png

 

 

Labels (1)
7 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: Windows Event Log Data Parsing (Packet Data)

Why not just get the events from the PCs directly via WMI from the ERC?

r_gine
Level 9
Report Inappropriate Content
Message 3 of 8

Re: Windows Event Log Data Parsing (Packet Data)

Having to add thousands of data sources, manage them all and update them would be a nightmare. WEC I can ensure that any new workstations get siem logging immediately you via croup policy. And I only have to manage a single data source. (The windows event collector server)

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 4 of 8

Re: Windows Event Log Data Parsing (Packet Data)

thousands? wow, sounds like you got a syslog server rather than a SIEM.

r_gine
Level 9
Report Inappropriate Content
Message 5 of 8

Re: Windows Event Log Data Parsing (Packet Data)

I see your point however we’re using WEF to selectively send highly relevant and generally low volume events to siem. (User created, scheduled tasks created/edited, account lockout, kernel driver notifications, system time changes, etc) 

So yes in an environment with thousands of workstations this generates maybe a couple hundred alerts a day. 

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: Windows Event Log Data Parsing (Packet Data)

Right. 

1. Confirm you are using the latest SIEM collector release

2. Compare the logs. Are all PCs packets having this issue, and check the config between them on the log aggregator.

Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 7 of 8

Re: Windows Event Log Data Parsing (Packet Data)

I haven't added PC events like you did via WEF. but i thought although you use a log aggregator, you still have to add data sources individually under the single WEF parent data source, SIEM won't add them for you, otherwise all PC events will come under the same data source?

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: Windows Event Log Data Parsing (Packet Data)

The data looks like this becasue it is transmitted to the SIEM in MEF format. The MEF parser then explodes the data to appear as it does in your screenshot. MEF has extensions to allow for you to control the field assignment in the SIEM.

I have found using another technology such as nxlog or something similar to get the data out of the Window Event Log to be the easiest solution, and you can control the parsing.

 

Brent
ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.