Help
FortiSIEM Discussions
adem_netsys
Contributor

Created on ‎12-18-2024 12:19 AM

Having Windows Parser Issue

Hi guys,

 

I am using a windows agent with 7.1.0 Agent, some fields in the incoming log are not parsed and some fields in the incidents in the default rules it hits are empty. Normally, I think there should not be such a situation in the default parser. When I test the incoming log in the parser, I get an error. Has anyone encountered this situation?

 

Sample log as a anonymously: 2024-12-18T07:35:23Z SERVER.anonymized.com 10.0.0.1 AccelOps-WUA-WinLog-Application [phCustId]="XXXX" [customer]="ANON-CUST" [monitorStatus]="Success" [Locale]="xx-XX" [MachineGuid]="00000000-0000-0000-0000-000000000000" [timeZone]="+0000" [extEventRecvProto]="Windows Agent" [eventName]="Application" [eventSource]="MSSQLSERVER" [eventId]="18456" [eventType]="Information" [domain]="" [computer]="SERVER.anonymized.com" [user]="" [userSID]="" [userSIDAcctType]="" [eventTime]="Dec 18 2024 07:35:23" [deviceTime]="Dec 18 2024 07:35:23" [msg]="Login failed for user 'ANON-USER'. Reason: Failed to open the explicitly specified database 'ANON_DB'. [CLIENT: 10.0.0.2]"

 

Thank you

86
0 Kudos
4 REPLIES 4
Secusaurus
Contributor II

Created on ‎12-18-2024 12:25 AM

Hi @adem_netsys,

 

We experience different parsing of Windows Agent logs in every version of the cluster and the agent. It seems like they constantly change how the Agent sends and how the FSM parses the received information.

So, in our experience, make sure that Agent and cluster match in their versions and the most recent Content Update is installed.

 

Best,

Christian

FCP & FCSS Security Operations | Fortinet Advanced Partner
FCP & FCSS Security Operations | Fortinet Advanced Partner
83
0 Kudos
adem_netsys
Contributor
In response to Secusaurus

Created on ‎12-18-2024 12:36 AM

@Secusaurus 


I actually tried this in a test environment with a content update and an updated version and the result was the same. Since it is known that a custom parser has been passed before, there may be a different formatting here. How can I separate the user and client ip information in the message without breaking the rest of the parser because the general rule is empty since these fields come as message in the incident.

80
0 Kudos
cdurkin_FTNT
Staff
Staff

Created on ‎12-18-2024 06:37 AM

So I believe with that version of FortiSIEM, you event would be matching the WinOSWmiParser

 

If you are comfortable editing parsers, you can add this extra <case> statement below to the xml that is processing the 18456 eventId

 

<case>
  <collectAndSetAttrByRegex src="$_body">
	<regex><![CDATA[.*Login failed for user '<user:patStrQuote>'\..*?\[CLIENT: <_srcId:gPatStrRightSB>\]]]></regex>
  </collectAndSetAttrByRegex>
</case>


Appologies, I do not have a 7.1 box, but on my 7.2 version this function was around line 3777

parserEdit.png

(Also, note there seems to be duplication of this event code in the parser ,so if you see the same, make sure you edit the later, longer entry)

 The net result will parse your user and IP

18456.png

40
0 Kudos
adem_netsys
Contributor
In response to cdurkin_FTNT

Created on ‎12-19-2024 03:35 AM

Hi @cdurkin_FTNT 

 

Thank you for interest. I added it to the relevant ID as you mentioned, but I continue to get errors.  

Ekran görüntüsü 2024-12-19 143214.pngEkran görüntüsü 2024-12-19 143307.png

20
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.