› › ›

解码 XML Wineventlog

编辑

解码 XML Wineventlog编辑

此功能处于技术预览阶段，可能在将来的版本中发生更改或被删除。Elastic 将努力解决任何问题，但技术预览中的功能不受官方 GA 功能的支持 SLA 的约束。

decode_xml_wineventlog 处理器解码存储在 field 键下的 XML 格式的 Windows 事件日志数据。它将结果输出到 target_field。

输出字段将与 winlogbeat winlog 字段相同。

支持的配置选项如下

field: (必填) 包含 XML 的源字段。默认值为 message。
target_field: (必填) 将解码的 XML 写入的字段。要将解码的 XML 字段合并到事件的根目录，请指定一个空字符串的 target_field (target_field: "")。默认值为 winlog。
overwrite_keys: (可选) 一个布尔值，指定是否用解码的 XML 对象中的键覆盖事件中已存在的键。默认值为 true。
map_ecs_fields: (可选) 一个布尔值，指定是否在可能的情况下映射额外的 ECS 字段。请注意，ECS 字段键放置在 target_field 之外。默认值为 true。
ignore_missing: (可选) 如果为 true，则处理器在指定的字段不存在时不会返回错误。默认值为 false。
ignore_failure: (可选) 忽略处理器产生的所有错误。默认值为 false。

示例

processors:
  - decode_xml_wineventlog:
      field: event.original
      target_field: winlog

{
  "event": {
    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>"
  }
}

将生成以下输出

{
  "event": {
    "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4672</EventID><Version>0</Version><Level>0</Level><Task>12548</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-03-23T09:56:13.137310000Z'/><EventRecordID>11303</EventRecordID><Correlation ActivityID='{ffb23523-1f32-0000-c335-b2ff321fd701}'/><Execution ProcessID='652' ThreadID='4660'/><Channel>Security</Channel><Computer>vagrant</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>SYSTEM</Data><Data Name='SubjectDomainName'>NT AUTHORITY</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='PrivilegeList'>SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Data></EventData><RenderingInfo Culture='en-US'><Message>Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege</Message><Level>Information</Level><Task>Special Logon</Task><Opcode>Info</Opcode><Channel>Security</Channel><Provider>Microsoft Windows security auditing.</Provider><Keywords><Keyword>Audit Success</Keyword></Keywords></RenderingInfo></Event>",
    "action":   "Special Logon",
		"code":     "4672",
		"kind":     "event",
		"outcome":  "success",
		"provider": "Microsoft-Windows-Security-Auditing",
  },
	"host": {
    "name": "vagrant",
  },
  "log": {
    "level": "information",
  },
  "winlog": {
    "channel": "Security",
    "outcome": "success",
    "activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
    "level": "information",
    "event_id": 4672,
    "provider_name": "Microsoft-Windows-Security-Auditing",
    "record_id": 11303,
    "computer_name": "vagrant",
    "keywords_raw": 9232379236109516800,
    "opcode": "Info",
    "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
    "event_data": {
      "SubjectUserSid": "S-1-5-18",
      "SubjectUserName": "SYSTEM",
      "SubjectDomainName": "NT AUTHORITY",
      "SubjectLogonId": "0x3e7",
      "PrivilegeList": "SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"
    },
    "task": "Special Logon",
    "keywords": [
      "Audit Success"
    ],
    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\nPrivileges:\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
    "process": {
      "pid": 652,
      "thread": {
        "id": 4660
      }
    }
  }
}

有关支持条件的列表，请参阅条件。

字段映射如下

事件字段	源 XML 元素	注释
`winlog.channel`	`<Event><System><Channel>`
`winlog.event_id`	`<Event><System><EventID>`
`winlog.provider_name`	`<Event><System><Provider>`	`Name` 属性
`winlog.record_id`	`<Event><System><EventRecordID>`
`winlog.task`	`<Event><System><Task>`
`winlog.computer_name`	`<Event><System><Computer>`
`winlog.keywords`	`<Event><RenderingInfo><Keywords>`	每个 `Keyword` 的列表
`winlog.opcodes`	`<Event><RenderingInfo><Opcode>`
`winlog.provider_guid`	`<Event><System><Provider>`	`Guid` 属性
`winlog.version`	`<Event><System><Version>`
`winlog.time_created`	`<Event><System><TimeCreated>`	`SystemTime` 属性
`winlog.outcome`	`<Event><System><Keywords>`	如果设置了位 0x20000000000000，则为“success”，如果设置了 0x10000000000000，则为“failure”
`winlog.level`	`<Event><System><Level>`	转换为小写
`winlog.message`	`<Event><RenderingInfo><Message>`	删除换行符
`winlog.user.identifier`	`<Event><System><Security><UserID>`
`winlog.user.domain`	`<Event><System><Security><Domain>`
`winlog.user.name`	`<Event><System><Security><Name>`
`winlog.user.type`	`<Event><System><Security><Type>`	从整数转换为字符串
`winlog.event_data`	`<Event><EventData>`	映射，其中 Data 元素中的 `Name` 属性为键，而 Data 元素的值为值
`winlog.user_data`	`<Event><UserData>`	映射，其中 Data 元素中的 `Name` 属性为键，而 Data 元素的值为值
`winlog.activity_id`	`<Event><System><Correlation><ActivityID>`
`winlog.related_activity_id`	`<Event><System><Correlation><RelatedActivityID>`
`winlog.kernel_time`	`<Event><System><Execution><KernelTime>`
`winlog.process.pid`	`<Event><System><Execution><ProcessID>`
`winlog.process.thread.id`	`<Event><System><Execution><ThreadID>`
`winlog.processor_id`	`<Event><System><Execution><ProcessorID>`
`winlog.processor_time`	`<Event><System><Execution><ProcessorTime>`
`winlog.session_id`	`<Event><System><Execution><SessionID>`
`winlog.user_time`	`<Event><System><Execution><UserTime>`
`winlog.error.code`	`<Event><ProcessingErrorData><ErrorCode>`

如果启用了 map_ecs_fields，则还会执行以下字段映射

事件字段	源 XML 或其他字段	注释
`event.code`	`winlog.event_id`
`event.kind`	`"event"`
`event.provider`	`<Event><System><Provider>`	`Name` 属性
`event.action`	`<Event><RenderingInfo><Task>`
`event.host.name`	`<Event><System><Computer>`
`event.outcome`	`winlog.outcome`
`log.level`	`winlog.level`
`message`	`winlog.message`
`error.code`	`winlog.error.code`
`error.message`	`winlog.error.message`

« 解码 XML 解压缩 gzip 字段 »