grok Pattern for Event ID 4663 not working extractor

My 4663 Log

Pattern which i have used from the site to test

https://grokdebug.herokuapp.com/

Output

{
“messageTitle”: [
“An attempt was made to access an object.”
],
“subjectHeader”: [
“Subject:”
],
“subjectSecurityIDTitle”: [
“Security ID:”
],
“subjectSecurityID”: [
“S-1-5-21-3582699469-3819540374-2698495323-1156”
],
“accountNameTitle”: [
“Account Name:”
],
“accountName”: [
“Syed”
],
“accountDomainTitle”: [
“Account Domain:”
],
“accountDomain”: [
“xxx”
],
“accountLogonGUIDTitle”: [
“Logon ID:”
],
“accountLogonGUID”: [
“0x61162CDE”
],
“ObjectHeader”: [
“Object:”
],
“ObjectServerTitle”: [
“Object Server:”
],
“ObjectServer”: [
“Security”
],
“ObjectTypeTitle”: [
“Object Type:”
],
“ObjectType”: [
“File”
],
“ObjectNameTitle”: [
“Object Name:”
],
“ObjectName”: [
“G:\reate a cron for dnd customers with 60days period insert it in respective campaign\csc-modules-Campaigns-models\Record.php”
],
“HandleIDTitle”: [
“Handle ID:”
],
“Handle”: [
“0x27fc”
],
“objectResourceAttributesTitle”: [
“Resource Attributes:”
],
“ResourceAttributes”: [
“S:AI(RA;;;;;WD;(“IMAGELOAD”,TU,0x0,1))”
],
“procInfoHeader”: [
“Process Information:”
],
“processIDTitle”: [
“Process ID:”
],
“processID”: [
“0x4”
],
“processNameTitle”: [
“Process Name:”
],
“processName”: [
“”
],
“accessInfoHeader”: [
“Access Request Information:”
],
“accessesTitle”: [
“Accesses:”
],
“accesses”: [
“ReadAttributes”
],
“accessMaskTitle”: [
“”
],
“accessmask”: [
“”
]
}

like this get output but in graylog i am not able extract

I am not particularly good with GROK but I’ll note that if you want help, there are a couple of things you can do with your post to make it easier for others to understand and experiment/help:

  • put in the actual text and use the forum tools in the editor box like </> to make your code readable
  • what kind of input are you using?
  • what version of Graylog are you on?
  • explain what you have tried, what you have researched (did you test against data when creating the grok extractor?)
1 Like

I am getting log from windows server using GELF UDP

Get from win-server is

AccessList
%%4416
AccessMask
0x1
Category
Removable Storage
Channel
Security
EventID
4663
EventReceivedTime
2021-09-03 11:32:43
EventType
AUDIT_SUCCESS
HandleId
0xa70
Keywords
-9214364837600035000
ObjectName
I:\ACE Backup\BCK7\Archives_nsd_F\Mar1-Mar18\june\12
ObjectServer
Security
ObjectType
File
Opcode
Info
OpcodeValue
0
ProcessID
600
ProcessName
C:\Program Files (x86)\AceBIT\AceBackup 3\AceBackup.exe
ProviderGuid
{54849625-5478-4994-A5BA-3E3B0328C30D}
RecordNumber
346352011
Severity
INFO
SeverityValue
2
SourceModuleName
in
SourceModuleType
im_msvistalog
SourceName
Microsoft-Windows-Security-Auditing
SubjectDomainName
SAS
SubjectLogonId
0x4d8d86
SubjectUserName
administrator
SubjectUserSid
S-1-5-21-3582699469-3819540374-2698495323-500
Task
12812
ThreadID
608
Version
1
full_message
An attempt was made to access an object.

Subject:
Security ID: S-1-5-21-3582699469-3819540374-2698495323-500
Account Name: administrator
Account Domain: SAS
Logon ID: 0x4D8D86

Object:
Object Server: Security
Object Type: File
Object Name: I:\ACE Backup\BCK7\Archives_nsd_F\Mar1-Mar18\june\12
Handle ID: 0xa70
Resource Attributes:

Process Information:
Process ID: 0xa3c
Process Name: C:\Program Files (x86)\AceBIT\AceBackup 3\AceBackup.exe

Access Request Information:
Accesses: ReadData (or ListDirectory)

Access Mask:		0x1

level
6
message
An attempt was made to access an object.

Subject:
Security
source
WIN-SAS
timestamp
2021-09-03 11:32:42.000 +05:30

grok extractor online using this site to test https://grokdebug.herokuapp.com/ and also https://www.javainuse.com/grok both website tested

I get output like this :
{
“messageTitle”: [
“An attempt was made to access an object.”
],
“subjectHeader”: [
“Subject:”
],
“subjectSecurityIDTitle”: [
“Security ID:”
],
“subjectSecurityID”: [
“S-1-5-21-3582699469-3819540374-2698495323-1156”
],
“accountNameTitle”: [
“Account Name:”
],
“accountName”: [
“XXX”
],
“accountDomainTitle”: [
“Account Domain:”
],
“accountDomain”: [
“XXX”
],
“accountLogonGUIDTitle”: [
“Logon ID:”
],
“accountLogonGUID”: [
“0x61162CDE”
],
“ObjectHeader”: [
“Object:”
],
“ObjectServerTitle”: [
“Object Server:”
],
“ObjectServer”: [
“Security”
],
“ObjectTypeTitle”: [
“Object Type:”
],
“ObjectType”: [
“File”
],
“ObjectNameTitle”: [
“Object Name:”
],
“ObjectName”: [
“XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
],
“HandleIDTitle”: [
“Handle ID:”
],
“Handle”: [
“0x27fc”
],
“objectResourceAttributesTitle”: [
“Resource Attributes:”
],
“ResourceAttributes”: [
“S:AI(RA;;;;;WD;(“IMAGELOAD”,TU,0x0,1))”
],
“procInfoHeader”: [
“Process Information:”
],
“processIDTitle”: [
“Process ID:”
],
“processID”: [
“0x4”
],
“processNameTitle”: [
“Process Name:”
],
“processName”: [
“”
],
“accessInfoHeader”: [
“Access Request Information:”
],
“accessesTitle”: [
“Accesses:”
],
“accesses”: [
“ReadAttributes”
],
“accessMaskTitle”: [
“”
],
“accessmask”: [
“”
]
}

but i graylog i am not able to extract

Graylog version 4.1.0

extract full message log to fields ex: account name, domain, accesss, object to audit the Event id 4663
windows log

Try to debug grok pattern with System - Grok patterns - Edit and Test with sample data

Maybe problem is with tabulators and \t pattern, try to replace it with spaces pattern \s+

Thanks for your reply . i will try \t replace as \s+

is this the only EventID you’re having issues with? Instead of Grokking everything, consider WinLogbeat and then using a beats input.

just a thought

2 Likes

@cawfehman - I was just going to put that in! :stuck_out_tongue: -

Winlogbeat extracts before sending (set the Graylog Input to be of type BEATS) also make sure at the bottom of the Input configuration to “Do not add Beats Type as Prefix” … it makes the fieldnames longer than they need be and you can add what you need back in via pipeline

image

EDIT: Installing sidecar on your windows machine (- instructions here - ) installs beats.

2 Likes

Thanks for support ,s

Its worked for me

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.