Windows event log -> NX-1258

Started by Benjamin Dill, May 27, 2018, 10:53:40 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Benjamin Dill

May 27, 2018, 10:53:40 AM
Hi,
I've read in the changelog for 2.2.3 that parameters of Windows event log can be passed to the server. Is there an example how to do that?
I checked the code but my c++ is a bit rusty... I've seen that "EventData" is parsed, so can I match against these parameters in a parser rule? That would be quite useful!

Greetings,
Ben

Benjamin Dill

#1
May 27, 2018, 11:56:04 AM Last Edit: May 27, 2018, 11:59:29 AM by Benjamin Dill
Also, there seems to be a bug: When generating a NetXMS event from a Windows event the agent crashes (version 2.2.6). Nothing helpful in the log at trace level 9, it just stops after "matched":
Code Select
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] Publisher name is Microsoft-Windows-Security-Auditing
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] Match event: source="Microsoft-Windows-Security-Auditing" id=4768 level=8 text="Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] checking rule 1 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   event id 0x000012a0 not in range 0x00001211 - 0x00001211
2018.05.27 10:51:08.559 *D* [logwatch.parser    ] checking rule 2 ""
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   rule has no context
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   negated matching against regexp Ergebniscode: 0x0
2018.05.27 10:51:08.559 *D* [logwatch.parser    ]   matched
Code Select
<parser name="LogonFailure" trace="9">
   <file>*Security</file>
   <rules>
      <rule name="id4625">
         <match repeatCount="0" repeatInterval="120">(.*)</match>
         <id>4625</id>
         <source></source>
      </rule>
      <rule name="id4768">
         <match invert="true" repeatCount="0" repeatInterval="120">Ergebniscode: 0x0</match>
         <id>4768</id>
         <source></source>
<event params="1">100028</event>
      </rule>
...

gdodd

#2
May 30, 2018, 11:12:15 PM Last Edit: May 30, 2018, 11:18:21 PM by gdodd
In the rule "id4768" you have 1 parameter. In your Event 100028 you can use %1 in the message and that will be whatever you matched on.

https://www.netxms.org/documentation/adminguide/log-monitoring.html#passing-parameters-to-events

Benjamin Dill

#3
June 02, 2018, 11:58:11 AM
I know that. I was referring to these changelog entries of 2.2.3:
Quote- Additional information about captured Windows Event Log event passed to the server
QuoteNX-1258 (Option to pass event data from Windows event log to NetXMS event)
I found it out in the meantime: The additional information is accessable by the parameters-property of the event-class in NXSL. Currently the data is only accessable by array-index and the names-array is empty. I'm not sure if this is supposed to be this way...

it_user1

#4
July 03, 2018, 10:08:56 AM
Hi, i'm interested to this option because i want use netxms agent for windows event. Now i use graylog, but if it's possible pass all event's data to netxms i will use it instead graylog
Print
Go Up Pages1
User actions