Striim 3.9.6 documentation

Windows Event Log Reader

Use with the Forwarding Agent (Using the Striim Forwarding Agent) to read Windows event logs.

property

type

default value

notes

eofDelay

java.lang.Integer

1000

milliseconds to wait after reaching the end of a file before starting the next read operation

eventSourceName

java.lang.String

Security

  • the log to read

  • other supported values are  Application and System

  • you may also specify any custom log name 

includeEventIDList

java.lang.String

*

specify a comma-separated list of eventIDs to output only those events, or use default value to output all events

startEventRecordNumber

java.lang.Integer

-1

  • the recordNumber from which to begin reading the log

  • with the default value, reads new events only 

  • set to 1 to read the entire log

This adapter uses Microsoft's OpenEventLog function so returns only data provided by that function. In some cases this may not include all the fields displayed in the Event Log UI.

The following example reads only Security log events with EventID 4625 (logon failures):

CREATE SOURCE WindowsLogSource USING WindowsEventLogReader(
   includeEventIDList:'4625'
)
OUTPUT TO SecurityLogStream;

The data type for the output is WindowsLogEvent, which contains a single single field, data, an array containing the events' fields. The first nine fields are always the same and are selected using data.<field name> (as shown in the example below):

field name

type

sample value

sourceName

string

Microsoft-Windows-Security-Auditing

computerName

string

wsrv2012-00

userSid

string

recordNumber

long

1138

timeGenerated

DateTime

1400798337

timeWritten

DateTime

1400798337

eventID

long

4625

eventType

long

16

eventCategory

long

12544

The remaining fields are selected using data.stringPayload[#] (as shown in the example below). How many fields there are and what they contain vary depending on the EventID. For example, for Windows 2012 Security Log EventID 4625:

#

field name

sample value

0

SubjectUserSid

S-1-5-18

1

SubjectUserName

WSRV2012-00$

2

SubjectDomainName

WORKGROUP

3

SubjectLogonId

0x3e7

4

TargetUserSid

S-1-0-0

5

TargetUserName

Administrator

6

TargetDomainName

WSRV2012-00

7

Status

0xc000006d

8

FailureReason

%%2313

9

SubStatus

0xc000006a

10

LogonType

7

11

LogonProcessName

User32

12

AuthenticationPackageName

Negotiate

13

WorkstationName

WSRV2012-00

14

TransmittedServices

15

LmPackageName

16

KeyLength

0

17

ProcessId

0x738

18

ProcessName

C:\Windows\System32\winlogon.exe

19

IpAddress

10.1.10.180

20

IpPort

0

The following example creates a stream FailedLoginStream containing all the fields for Windows 2012 Security Log events with EventID 4625 ("an account failed to log on"). See Using the Striim Forwarding Agent for an explanation of the DEPLOY statement.

CREATE APPLICATION EventId4625;

CREATE FLOW agentFlow;

CREATE SOURCE WindowsEventLogReaderSource USING WindowsEventLogReader ( 
  includeEventIDList: '4625',
  eventSourceName: 'Security'
 ) 
OUTPUT TO rawLog;

END FLOW agentFlow;

CREATE FLOW serverFlow;

CREATE TYPE WindowsSecurityLogType(	
  sourceName String,
  computerName String,
  userSid String,
  recordNumber long,
  timeGenerated DateTime,
  timeWritten DateTime,
  eventID long,
  eventType long,
  eventCategory long,
  SubjectUserSid String,
  SubjectUserName String,
  SubjectDomainName String,
  SubjectLogonId String,
  TargetUserSid String,
  TargetUserName String,
  TargetDomainName String,
  Status String,
  FailureReason String,
  SubStatus String,
  LogonType String,
  LogonProcessName String,
  AuthenticationPackageName String,
  WorkstationName String,
  TransmittedServices String,
  LmPackageName String,
  KeyLength String,
  ProcessId String,
  ProcessName String,
  IpAddress String,
  IpPort String
);
CREATE STREAM FailedLogonStream OF WindowsSecurityLogType;

CREATE CQ MappingCQ 
INSERT INTO FailedLogonStream
SELECT 
  data.sourceName,
  data.computerName,
  data.userSid,
  data.recordNumber,
  data.timeGenerated,
  data.timeWritten,
  data.eventID,
  data.eventType,
  data.eventCategory,
  data.stringPayload[0],
  data.stringPayload[1],
  data.stringPayload[2],
  data.stringPayload[3],
  data.stringPayload[4],
  data.stringPayload[5],
  data.stringPayload[6],
  data.stringPayload[7],
  data.stringPayload[8],
  data.stringPayload[9],
  data.stringPayload[10],
  data.stringPayload[11],
  data.stringPayload[12],
  data.stringPayload[13],
  data.stringPayload[14],
  data.stringPayload[15],
  data.stringPayload[16],
  data.stringPayload[17],
  data.stringPayload[18],
  data.stringPayload[19],  
  data.stringPayload[20]  
FROM rawLog;

CREATE TARGET winlogLout USING SysOut ( 
  name:winlog
 ) 
INPUT FROM FailedLogonStream;

END FLOW serverFlow;

END APPLICATION EventId4625;

DEPLOY APPLICATION EventId4625 with agentFlow in agent, serverFlow in default;

See Handling variable-length events with CQs for an example of handling multiple EventIDs.