Parse all the fields of a 4769 Windows EventID, Logon GUID in particular

[canob]

So, after battling with this for days, I didn’t find a way to parse all the fields of a 4769 Windows event ID with one regex.

I ended parsing “in slices”, and even with that, it was impossible to parse/get “Logon GUID” value.

To recapitulate, to try if somebody find a solution, or maybe think that this is a bug:

• An example event, obtained from a Tail Input of a file (generated with Get-WinEvent cmdlet of Powershell, that allow me to get Windows events remotely in JSON format, and if I want, use Linux FluentBit to collect/parse them):
  {"Id":4769,"Version":0,"Qualifiers":null,"Level":0,"Task":14337,"Opcode":0,"Keywords":-9214364837600034816,"RecordId":6606805,"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderId":"54849625-5478-4994-a5ba-3e3b0328c30d","LogName":"Security","ProcessId":692,"ThreadId":6604,"MachineName":"LABDC.LAB.ARG","UserId":null,"TimeCreated":"2023-08-18T10:28:57.8577011-03:00","ActivityId":null,"RelatedActivityId":null,"ContainerLog":"Security","MatchedQueryIds":[],"Bookmark":{"BookmarkXml":"<BookmarkList Direction='backward'>\r\n <Bookmark Channel='Security' RecordId='6606805' IsCurrent='true'/>\r\n</BookmarkList>"},"LevelDisplayName":"Information","OpcodeDisplayName":"Info","TaskDisplayName":"Kerberos Service Ticket Operations","KeywordsDisplayNames":["Audit Success"],"Properties":[{"Value":"[email protected]"},{"Value":"LAB.ARG"},{"Value":"LABDC$"},{"Value":"S-1-5-21-1212037701-3946723201-1981249032-1000"},{"Value":1082195968},{"Value":18},{"Value":"::1"},{"Value":"0"},{"Value":0},{"Value":"db9f553d-8201-c93a-ad04-dacea5af9ac9"},{"Value":"-"}],"Message":"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\[email protected]\r\n\tAccount Domain:\t\tLAB.ARG\r\n\tLogon GUID:\t\t{db9f553d-8201-c93a-ad04-dacea5af9ac9}\r\n\r\nService Information:\r\n\tService Name:\t\tLABDC$\r\n\tService ID:\t\tS-1-5-21-1212037701-3946723201-1981249032-1000\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120."}
• The parsed event in FluentBit:
  windows: [1692365339.963130474, {"ContainerLog":"Security","tag":"windows","Opcode":0,"Message":"A Kerberos service ticket was requested.\r\n\r\nAccount Information:\r\n\tAccount Name:\t\[email protected]\r\n\tAccount Domain:\t\tLAB.ARG\r\n\tLogon GUID:\t\t{db9f553d-8201-c93a-ad04-dacea5af9ac9}\r\n\r\nService Information:\r\n\tService Name:\t\tLABDC$\r\n\tService ID:\t\tS-1-5-21-1212037701-3946723201-1981249032-1000\r\n\r\nNetwork Information:\r\n\tClient Address:\t\t::1\r\n\tClient Port:\t\t0\r\n\r\nAdditional Information:\r\n\tTicket Options:\t\t0x40810000\r\n\tTicket Encryption Type:\t0x12\r\n\tFailure Code:\t\t0x0\r\n\tTransited Services:\t-\r\n\r\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\r\n\r\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\r\n\r\nTicket options, encryption types, and failure codes are defined in RFC 4120.","LevelDisplayName":"Information","Level":0,"Version":0,"TaskDisplayName":"Kerberos Service Ticket Operations","TimeCreated":"2023-08-18T10:28:57.8577011-03:00","Task":14337,"Properties":[{"Value":"[email protected]"},{"Value":"LAB.ARG"},{"Value":"LABDC$"},{"Value":"S-1-5-21-1212037701-3946723201-1981249032-1000"},{"Value":1082195968},{"Value":18},{"Value":"::1"},{"Value":"0"},{"Value":0},{"Value":"db9f553d-8201-c93a-ad04-dacea5af9ac9"},{"Value":"-"}],"Keywords":-9214364837600034816,"MatchedQueryIds":{},"ProviderName":"Microsoft-Windows-Security-Auditing","KeywordsDisplayNames":["Audit Success"],"OpcodeDisplayName":"Info","Id":4769,"Bookmark":{"BookmarkXml":"<BookmarkList Direction='backward'>\r\n <Bookmark Channel='Security' RecordId='6606805' IsCurrent='true'/>\r\n</BookmarkList>"},"RecordId":6606805,"ProcessId":692,"ThreadId":6604,"LogName":"Security","ProviderId":"54849625-5478-4994-a5ba-3e3b0328c30d","MachineName":"LABDC.LAB.ARG"}]
• The regex that is not working on FluenBit, but is working perfect in Rubular (https://rubular.com/r/EUSp5e2CwNsNy4) and in https://cloud.calyptia.com/parser:
  (?<parsed_message>^.*?)\.\\r\\n\\r\\n.*\\r\\n\\tAccount Name:[\\t\\t](https://t//t)(?<Account_Name>.*)\\r\\n\\tAccount Domain:\\t\\t(?<Account_Domain>.*)\\r\\n\\tLogon GUID:\\t\\t{(?<Logon_GUID>.*)}\\r\\n\\r\\n.*Service Name:\\t\\t(?<Service_Name>.*)\\r\\n\\tService ID:\\t\\t(?<Service_ID>.*)\\r\\n\\r\\n.*\\r\\n\\tClient Address:\\t\\t(?<Client_Address>.*)\\r\\n\\tClient Port:\\t\\t(?<Client_Port>.*)\\r\\n\\r\\n.*\\r\\n\\tTicket Options:\\t\\t(?<Ticket_Options>.*)\\r\\n\\tTicket Encryption Type:\\t(?<Ticket_Encryption_Type>.*)\\r\\n\\tFailure Code:\\t\\t(?<Failure_Code>.*)\\r\\n\\t
• A regex for 4768 Windows event ID, that is almost identical to the regex for 4769 Windows event ID (one of the main differences is that 4768 Windows event ID don’t have Logon GUID), is working perfectly on Rubular (https://rubular.com/r/ZOOjCoIFbdZ5gO) and on FluentBit. The only thing that I needed to do to work on FluentBit (I really don’t understand why) was to replace double scape \ with single scape \ in the regex for \n, \r and \t.
• Understanding that the problem is the Logon GUID, I ended doing two parsers to get all the fields that I need (except Logon GUID), over the same record:

[PARSER]
    Name windows_parsers_evt_4769
    Format regex
    Regex (?<parsed_message>^.*?)\.\r\n\r\n.*\r\n\tAccount Name:\t\t(?<Account_Name>.*)\r\n\tAccount Domain:\t\t(?<Account_Domain>.*).*\r\n\tLogon GUID:
    Skip_Empty_Values false
[PARSER]
    Name windows_parsers_evt_4769_2
    Format regex
    Regex .*Service Name:\t\t(?<Service_Name>.*)\r\n\tService ID:\t\t(?<Service_ID>.*)\r\n\r\n.*\r\n\tClient Address:\t\t(?<Client_Address>.*)\r\n\tClient Port:\t\t(?<Client_Port>.*)\r\n\r\n.*\r\n\tTicket Options:\t\t(?<Ticket_Options>.*)\r\n\tTicket Encryption Type:\t(?<Ticket_Encryption_Type>.*)\r\n\tFailure Code:\t\t(?<Failure_Code>.*)\r\n\t
    Skip_Empty_Values false

• After that, I tried to parse Logon GUID with a third parser, with no luck:

## Trying to get Logon GUID from Message field
[PARSER]
    Name windows_parsers_evt_4769_3
    Format regex
    Regex .*Logon GUID:\t\t{(?<Logon_GUID>.*)}\r\n\r\n.*Service Name:
    Skip_Empty_Values false
## Trying to get Logon GUID from Properties field (the 9th value of Properties JSON Array)
[PARSER]
    Name windows_parsers_evt_4769_3
    Format regex
    Regex .*,.*,.*,.*,.*,.*,.*,.*,.*,{"Value":"(?<Logon_GUID>.*)"},.*
    Skip_Empty_Values false

I tried too with winevtlog from FluentBit as an Input, and it was exactly the same about parsing Message field. StringInserts array field generated by winevtlog input from FluentBit in that case was almost identical to Properties array field generated by Get-Winevent cmdlet of Powershell (the only difference is that StringInserts don’t have field names), and I tried with a similar parser without any luck.

Anybody have any other ideas of how can obtain Logon GUID value from Windows 4769 ID record?

Thanks in advance for your help.

[patrick-stephens]

Doing it all in LUA might be better to pre-process and have various if/else cases for the message contents.
Trying to do a monster regex is always tricky plus may be brittle to change - with LUA you could ensure some pre-requisites are in place, etc.

[canob]

Even if I try to do the parsing with LUA, it is ok that a regex that is matching perfectly on Rubular and on https://cloud.calyptia.com/parser is not working on FluentBit, or is something that need to be reviewed and maybe is a bug on FluentBit?

[canob]

Ok, thanks @patrick-stephens . I don't know much about LUA, but I'm going to try to learn, to do the needed parsing with LUA.

Thanks!

[patrick-stephens]

https://calyptia.github.io/sandbox/ may help you with that.