Closed ctmayhew closed 3 years ago
joachimmetz
commented
3 years ago I'll have a look when time permits, this is the last write up: https://osdfir.blogspot.com/2015/04/windows-event-log-message-strings.html
There is still work pending to integrate this better into Plaso https://github.com/log2timeline/plaso/issues/636
ctmayhew
commented
3 years ago Thanks! Yes that is the guide that I followed to generate my own db.
aepton
commented
3 years ago One issue with how message strings are generated for .evtx files seems to be that there are at least 2 different ways to construct a message string (as documented by libevtx here). But I think the winevtx.py parser only uses one method.
If an event ID looks like this:
<EventID Qualifiers="16384">7036</EventID>then the libevtx docs say to generate the message string using the Qualifiers.
That's what happens in winevtx.py - _GetEventDataFromRecord() generates the event_data.message_identifier value from the Qualifiers, and then in formatting_helper.py there's a check: a windows_event_message will be generated iff message_identifier is truthy.
The libevtx docs say another way to generate the message string is to use the GUID for records that look like this:
<Provider Name="Microsoft-Windows-UAC"
Guid="{E7558269-3FA5-46ED-9F4D-3C6E282DDE55}"/>
<EventID>1</EventID>but a decent workaround seems to be to just use the event_identifier itself. So the following change to plaso/output/formatting_helper.py, line 367, seems to return decent results:
event_identifier = getattr(event_data, 'event_identifier', None)
if event_identifier and not message_identifier:
message_identifier = event_identifierI imagine there are some limits to this approach, so it might be better to do the GUID lookup as well/instead. And the libevtx docs seem to suggest there are 1-2 other ways to generate message strings for other log types, but I'm not sure how common those are.
joachimmetz
commented
3 years ago @aepton thx for the comment. To be verbose the GUID is related to the message provider not to the message identifier. The reason for not using the GUID is that pre Vista it is not present.
The winevtx parser should set message_identifier, which are equivalent if the qualifiers are not set. I'll make some changes.
joachimmetz
commented
3 years ago @ctmayhew can you give the changes in https://github.com/log2timeline/plaso/pull/3550 a try and see if those solve your issue (you'll need to rerun log2timeline.py)
joachimmetz
commented
3 years ago Changes merged
ctmayhew
commented
3 years ago Thanks @joachimmetz!
Description of problem:
I am not getting the Plaso message formatting to work properly (https://plaso.readthedocs.io/en/latest/sources/user/Output-and-formatting.html#message-formatting). I have tried using the
winevt-rc.dbprovided by this repo and also generated my own but I don't see any formatted strings. The source data is a standardsecurity.evtxevent log. In this example the message field is not being formatted and just outputs the strings. I have also tried it against theMicrosoft-Windows-TerminalServices-LocalSessionManagerevent log.When I open the sqlite database (both the one provided in this repo and the one I created myself) I can see that the strings are located inside both - it's just not showing up in the output. I have also checked the language and that matches up with the database.
Maybe I am doing something completely wrong here?
Command line and arguments:
psort.py -o dynamic --fields message -w /tmp/output.tsv /tmp/sec.plasoPlaso version:
version 20210213
OS
Linux ubuntu 5.8.0-44-generic #50~20.04.1-Ubuntu SMP Wed Feb 10 21:07:30 UTC 2021 x86_64 x86_64 x86_64 GNU/LinuxInstallation method:
installed from [GiFT PPA][https://launchpad.net/~gift] stable track