Event ID 4698 Not Making It To Graylog

1. Describe your incident:
I am looking to build out some alerts that required Event ID 4698 in Windows (Scheduled Task Created). I modified the GPO for audit success/failure of ‘Other Objects’ and that has made it so logs are generated in event viewer but they are still not making it into GL as far as I can tell.

2. Describe your environment:

  • OS Information:

Running GL Cloud.
Client device is Windows 11, w/ sidecar, nxlog and sysmon.

  • Service logs, configurations, and environment variables:

Here is an example 4698 event:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4699</EventID> 
  <Version>1</Version> 
  <Level>0</Level> 
  <Task>12804</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2024-08-29T15:20:01.5841151Z" /> 
  <EventRecordID>165395</EventRecordID> 
  <Correlation ActivityID="{71814a85-fa26-0006-b54a-817126fada01}" /> 
  <Execution ProcessID="1264" ThreadID="1372" /> 
  <Channel>Security</Channel> 
  <Computer>testdomain.testdomain.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-21-217194642-45634563456742-2742321624-28153</Data> 
  <Data Name="SubjectUserName">username-redacted</Data> 
  <Data Name="SubjectDomainName">TEST</Data> 
  <Data Name="SubjectLogonId">0x1f99a2</Data> 
  <Data Name="TaskName">\test</Data> 
  <Data Name="TaskContent" /> 
  <Data Name="ClientProcessStartKey">30117822508040619</Data> 
  <Data Name="ClientProcessId">18572</Data> 
  <Data Name="ParentProcessId">9616</Data> 
  <Data Name="RpcCallClientLocality">0</Data> 
  <Data Name="FQDN">testdomain.testdomain.com</Data> 
  </EventData>
  </Event>

Here is an example nxlog configuration but I also tried another one without and drops/suppressions:

#Prod
define ROOT C:\Program Files\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module      xm_gelf
</Extension>

<Extension json>
    Module  xm_json
</Extension>

define DroppedEventIDs      4634, 4624, 1035, 1003, 16394, 63, 16384, 4688

<Input inWindowsAudit>
    Module      im_msvistalog
    ReadFromLast    True
    Query <QueryList> \
    <Query Id="0"> \
    <Select Path="Application">*</Select> \
    <Select Path="Microsoft-Windows-Sysmon/Operational">*</Select> \
    <Select Path="Security">*</Select> \
    <Select Path="System">*[System[(level='4')]]</Select> \
    <Suppress Path="Application">*[System[(EventID=258)]]</Suppress> \
    <Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=4104 or EventID=4106)]]</Select> \
    </Query> \
    </QueryList>

    Exec if ($EventID IN (%DroppedEventIDs%)) drop();
    Exec if ($DestAddress =~ /10.0.0.111/) drop();
    Exec if ($DestAddress =~ /127.0.0.1/) drop();
    Exec if ($DestAddress =~ /230.0.0.4/) drop();
    Exec if ($EventID == 0 and $message == 'PowerEvent handled successfully by the service.') drop();
	Exec if ($EventID == 22 and $QueryName ==  'something-redacted') drop();
    
</Input>


<Output outGraylog>
    Module      om_udp
    Host        10.11.11.11
    Port        12202
    OutputType  GELF
</Output>

<Route 1>
    Path        inWindowsAudit => outGraylog
</Route>

3. What steps have you already taken to try and solve the problem?

Tried making a new nxlog config thats barebones.
Tried adding lines to include that event ID.
I have tried just looking up this issue, no success there.
Tried reinstalling nxlog and restarting sidecar.
Looked for the log everywhere and it seems that event id is not getting logged anywhere.
I poked around the sysmon config for relevant includes/exclude statements but couldn’t find any.
Reviewed pipeline rules and there is nothing that would drop it in there.
Looked at received messages for the input and it seems to never show up.

4. How can the community help?

Are you able to point me in the right direction to find out why this is not being logged to the SIEM? This doesn’t seem to be an issue with nxlog but not sure where else to look. As far as I can tell, it never hits the input.

One more interesting thing to note is that I am receiving scheduled task deleted events (just not task created) which is making me wonder if the problem has to do with how the event is structured…

Turns out it had something to do with the UDP input, send that event ID to a TCP input and it came through fine. This can be closed.

3 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.