Windows Event Log Reader
Use with the Forwarding Agent (Using the Striim Forwarding Agent) to read Windows event logs.
Windows Event Log Reader properties
property | type | default value | notes |
---|---|---|---|
EOF Delay | Integer | 1000 | milliseconds to wait after reaching the end of a file before starting the next read operation |
Event Source Name | String |
|
|
Include Event ID List | String | * | specify a comma-separated list of eventIDs to output only those events, or use default value to output all events |
Start Event Record Number | Integer | -1 |
|
This adapter uses Microsoft's OpenEventLog function so returns only data provided by that function. In some cases this may not include all the fields displayed in the Event Log UI.
Windows Event Log Reader examples
The following example reads only Security log events with EventID 4625 (logon failures):
CREATE SOURCE WindowsLogSource USING WindowsEventLogReader( includeEventIDList:'4625' ) OUTPUT TO SecurityLogStream;
The data type for the output is WindowsLogEvent, which contains a single single field, data, an array containing the events' fields. The first nine fields are always the same and are selected using data.<field name>
(as shown in the example below):
field name | type | sample value |
---|---|---|
sourceName | string | Microsoft-Windows-Security-Auditing |
computerName | string | wsrv2012-00 |
userSid | string | |
recordNumber | long | 1138 |
timeGenerated | DateTime | 1400798337 |
timeWritten | DateTime | 1400798337 |
eventID | long | 4625 |
eventType | long | 16 |
eventCategory | long | 12544 |
The remaining fields are selected using data.stringPayload[#]
(as shown in the example below). How many fields there are and what they contain vary depending on the EventID. For example, for Windows 2012 Security Log EventID 4625:
# | field name | sample value |
---|---|---|
0 | SubjectUserSid | S-1-5-18 |
1 | SubjectUserName | WSRV2012-00$ |
2 | SubjectDomainName | WORKGROUP |
3 | SubjectLogonId | 0x3e7 |
4 | TargetUserSid | S-1-0-0 |
5 | TargetUserName | Administrator |
6 | TargetDomainName | WSRV2012-00 |
7 | Status | 0xc000006d |
8 | FailureReason | %%2313 |
9 | SubStatus | 0xc000006a |
10 | LogonType | 7 |
11 | LogonProcessName | User32 |
12 | AuthenticationPackageName | Negotiate |
13 | WorkstationName | WSRV2012-00 |
14 | TransmittedServices | |
15 | LmPackageName | |
16 | KeyLength | 0 |
17 | ProcessId | 0x738 |
18 | ProcessName | C:\Windows\System32\winlogon.exe |
19 | IpAddress | 10.1.10.180 |
20 | IpPort | 0 |
The following example creates a stream FailedLoginStream
containing all the fields for Windows 2012 Security Log events with EventID 4625 ("an account failed to log on"). See Using the Striim Forwarding Agent for an explanation of the DEPLOY
statement.
CREATE APPLICATION EventId4625; CREATE FLOW agentFlow; CREATE SOURCE WindowsEventLogReaderSource USING WindowsEventLogReader ( includeEventIDList: '4625', eventSourceName: 'Security' ) OUTPUT TO rawLog; END FLOW agentFlow; CREATE FLOW serverFlow; CREATE TYPE WindowsSecurityLogType( sourceName String, computerName String, userSid String, recordNumber long, timeGenerated DateTime, timeWritten DateTime, eventID long, eventType long, eventCategory long, SubjectUserSid String, SubjectUserName String, SubjectDomainName String, SubjectLogonId String, TargetUserSid String, TargetUserName String, TargetDomainName String, Status String, FailureReason String, SubStatus String, LogonType String, LogonProcessName String, AuthenticationPackageName String, WorkstationName String, TransmittedServices String, LmPackageName String, KeyLength String, ProcessId String, ProcessName String, IpAddress String, IpPort String ); CREATE STREAM FailedLogonStream OF WindowsSecurityLogType; CREATE CQ MappingCQ INSERT INTO FailedLogonStream SELECT data.sourceName, data.computerName, data.userSid, data.recordNumber, data.timeGenerated, data.timeWritten, data.eventID, data.eventType, data.eventCategory, data.stringPayload[0], data.stringPayload[1], data.stringPayload[2], data.stringPayload[3], data.stringPayload[4], data.stringPayload[5], data.stringPayload[6], data.stringPayload[7], data.stringPayload[8], data.stringPayload[9], data.stringPayload[10], data.stringPayload[11], data.stringPayload[12], data.stringPayload[13], data.stringPayload[14], data.stringPayload[15], data.stringPayload[16], data.stringPayload[17], data.stringPayload[18], data.stringPayload[19], data.stringPayload[20] FROM rawLog; CREATE TARGET winlogLout USING SysOut ( name:winlog ) INPUT FROM FailedLogonStream; END FLOW serverFlow; END APPLICATION EventId4625; DEPLOY APPLICATION EventId4625 with agentFlow in agent, serverFlow in default;
See Handling variable-length events with CQs for an example of handling multiple EventIDs.