Does anyone have any ideas why the "packet" data for this Windows Event log looks like this? I'm talking specifically about:
Security ID: %1
Account Name: %2
Account Domain: %3
Screenshot shared below.
These are workstatoin event logs that we are collection through Windows Event Forwarding going to a WEC server with a MEF agent installed and sending data to SIEM.
Having to add thousands of data sources, manage them all and update them would be a nightmare. WEC I can ensure that any new workstations get siem logging immediately you via croup policy. And I only have to manage a single data source. (The windows event collector server)
I see your point however we’re using WEF to selectively send highly relevant and generally low volume events to siem. (User created, scheduled tasks created/edited, account lockout, kernel driver notifications, system time changes, etc)
So yes in an environment with thousands of workstations this generates maybe a couple hundred alerts a day.
1. Confirm you are using the latest SIEM collector release
2. Compare the logs. Are all PCs packets having this issue, and check the config between them on the log aggregator.
I haven't added PC events like you did via WEF. but i thought although you use a log aggregator, you still have to add data sources individually under the single WEF parent data source, SIEM won't add them for you, otherwise all PC events will come under the same data source?
The data looks like this becasue it is transmitted to the SIEM in MEF format. The MEF parser then explodes the data to appear as it does in your screenshot. MEF has extensions to allow for you to control the field assignment in the SIEM.
I have found using another technology such as nxlog or something similar to get the data out of the Window Event Log to be the easiest solution, and you can control the parsing.