NetWitness Community

david_waugh · ‎2018-10-22

Hello

We have a system that writes to the application log.

I can collect other application log messages, but the particular messages written by this application are not rendered correctly.

What I can see is:

%NICWIN-4-Application_1_BLAH: Application,rn=191245 cid= eid=,Sun Oct 21 23:15:17 2018,1,BLAH,,Classic,mycomputer.mydomain.com,0,,

Here you can see that the event is truncated.

Now other application logs are displayed correctly so the collecting user is a member of the event log readers group.

If I look in the XML of the event in the Microsoft Event Viewer then it has the following fields

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

<Channel>Application</Channel>

<Computer>mycomputer.mydoamin.com</Computer>

</System>

- <EventData>

</EventData>

</Event>

At the moment I just want to be able to see the fill message. Then I will write a parser to pick out the meta data.

Any ideas why the full message is not being collected?

This is a Windows 2016 Server, but other application log messages are being received fine.

I checked the normal reasons for truncated messages, but have hit a blank on this one. Can anyone help?

On the VLC I have put the Event Source into Verbose mode and can see the message come in correctly when I look in the VLC Logs.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="BLAH"/>
<EventID Qualifiers="0">1</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-05-26T23:15:13.148221600Z"/>
<EventRecordID>123724</EventRecordID>
<Channel>Application</Channel>
<Computer>mycomputer.mydomain.com</Computer>
<Security/>
</System>
<EventData>
<Data>CEF:0|BLAH|Field1|Version|OtherStuff|Process succeeded|Low|Lot of Other CEF Fields</Data>
</EventData>
<RenderingInfo Culture="en-US">
<Message/>
<Level>Information</Level>
<Task/>
<Opcode>Info</Opcode>
<Channel/>
<Provider/>
<Keywords>
<Keyword>Classic</Keyword>
</Keywords>
</RenderingInfo>
</Event>

david_waugh · ‎2018-10-29

Hi Arnab Chakraverty‌ is this likely to be possible?

ArnabChakravert · ‎2018-10-29

Hi David,

I do not have an idea on how these said messages are getting generated and how they are being published in the channel.

david_waugh · ‎2018-10-30

I managed to bodge a work around for this.

1) Set up the event source for winrm collection as normal, and confirm you are getting events in (even if they are truncated)

2) Put the event source into debug verbose mode.

3)This causes all events to be written to the /var/log/netwitness/logcollector/ log files

4) Change the size of the Log Files to 10MB. This causes them to rollover more frequently

5) Grab events out of log files and re inject them into the system

ArnabChakravert · ‎2018-10-30

Hi David,

Just being curious here, could you not directly send the CEF logs to VLC or LD 514 port from the event source itself? Why do we need a Windows Layer, as it seems to be a custom channel.

with regards

Arnab Chakraverty

david_waugh · ‎2018-10-31

Hi Arnab Chakraverty‌ that would be the ideal solution. Unfortunately the application only supports writing to the windows application log, and I don't have control over it. Sending via syslog would be so much easier!

NetWitness Community

Unable to read custom application log using Winrm