Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds support for the computer field in Windows Eventlogs #6952

Merged
merged 5 commits into from
Feb 27, 2021
Merged

Adds support for the computer field in Windows Eventlogs #6952

merged 5 commits into from
Feb 27, 2021

Conversation

defensivedepth
Copy link
Contributor

Parses out the Computer field for Windows Eventlogs, which is important as it is the hostname of the system on which the event was originally generated.

Partially completes #6726

@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Feb 16, 2021
edited

CLA Signed

The committers are authorized under a signed CLA.

@mike-myers-tob mike-myers-tob added events Related to osquery's evented tables or eventing subsystem virtual tables Windows labels Feb 17, 2021
@mike-myers-tob
Copy link
Member

mike-myers-tob commented Feb 17, 2021
edited

To pass the code style enforcement check, you can run clang-format -i /path/to/source_code.cpp on the files you have changed previously, and then commit/push those changes.

mike-myers-tob
mike-myers-tob reviewed Feb 17, 2021
View reviewed changes
Copy link
Member

@mike-myers-tob mike-myers-tob left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me.

I built and ran on Windows 10 and it works well with some quick testing.

osqueryi.exe --disable_events=false --windows_event_channels="System,Application,Setup,Security" --enable_windows_events_publisher=true --enable_windows_events_subscriber=true

osquery> select * from windows_events LIMIT 10;

@mike-myers-tob
Copy link
Member

mike-myers-tob commented Feb 17, 2021
edited

It looks like the newly added test case is failing on the CI because certain mock event test data ("recorded events") (JSON files, here) do not have the computername field.

It should be added as DESKTOP-4AR7BIA to match the other test files (this hostname came from Alessandro's VM).

E.g. for 1.json, adding the line:

{
    "osquery_time": "1592478128",
    "datetime": "2020-06-09T18:12:25.4809506Z",
    "source": "Application",
    "provider_name": "SecurityCenter",
    "provider_guid": "",
    "event_id": "1",
    "task_id": "0",
    "level": "4",
    "keywords": "0x80000000000000",
    "data": "{\"EventData\":\"\"}",
    "computer_name": "DESKTOP-4AR7BIA"
}

To re-run just the failing test locally:

ctest -R osquery_tables_events_tests_windowseventstests-test -C RelWithDebInfo -V

@directionless directionless added this to the 4.7.0 milestone Feb 17, 2021
@directionless
Copy link
Member

It looks like the newly added test case is failing on the CI because certain mock event test data ("recorded events") (JSON files, here) do not have the computername field.

Is this an error in the test data, or is this field sometimes missing?

@mike-myers-tob
Copy link
Member

mike-myers-tob commented Feb 17, 2021
edited

It looks like the newly added test case is failing on the CI because certain mock event test data ("recorded events") (JSON files, here) do not have the computername field.

Is this an error in the test data, or is this field sometimes missing?

@alessandrogario you originally put these test files together, right? Were they manually exported from the event log selecting only certain fields?

I guess I am echoing the question @theopolis originally asked here #6280 (comment)

@mike-myers-tob
Copy link
Member

mike-myers-tob commented Feb 18, 2021
edited

@alessandrogario you originally put these test files together, right? Were they manually exported from the event log selecting only certain fields?

In a separate conversation with me he said that he exported these Windows events manually from Windows Event Viewer or possibly wevtutil as XML. Then he manually edited them, removing fields to create these test files, which he then ran through osquery to create the JSON files and manually reviewed them for correctness.

Hopefully that answers the question of why this particular field is missing.

Example:

C:\Users\mmyers\Desktop>wevtutil qe /c:1 Security
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2020-12-17T17:20:40.9473540Z'/><EventRecordID>1</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='32'/><Channel>Security</Channel><Computer>DESKTOP-FR7THQP</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x64</Data><Data Name='NewProcessName'>Registry</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x4</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>S-1-0-0</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'></Data><Data Name='MandatoryLabel'>S-1-16-16384</Data></EventData></Event>

You can see that the events normally include <Computer>DESKTOP-FR7THQP</Computer>

@defensivedepth
Copy link
Contributor Author

Should I manually add that field to the test files?

@mike-myers-tob
Copy link
Member

Should I manually add that field to the test files?

Yea, that's all that is needed. I manually confirmed that with a couple of them. It will unfortunately be a little tedious to update them all manually, but you can edit each XML file with an xmlstarlet one-liner like this:

cd ./osquery/tables/events/tests/windows/data/windows_events
xmlstarlet edit -L --subnode "/Event/System" -t elem -n "Computer" -v "DESKTOP-4AR7BIA" ./input/Application/1.xml

and then each JSON file with jq like this:

jq '. += {"computer_name": "DESKTOP-4AR7BIA"}' ./output/Application/1.json

Except jq can't edit the file in-place so you have to append that with, like, > JSON.tmp && mv JSON.tmp ./output/Application/1.json

@defensivedepth
Copy link
Contributor Author

not a problem, will get it done and submitted. Thanks for the guidance!

@defensivedepth defensivedepth requested a review from a team as a code owner February 26, 2021 18:46
@mike-myers-tob
Copy link
Member

mike-myers-tob commented Feb 26, 2021
edited

Looks like that JSON parsing test is having a problem still

https://github.com/osquery/osquery/pull/6952/checks?check_run_id=1989915214#step:17:2239

Did too much get appended to this one? osquery/tables/events/tests/windows/data/windows_events/output/Application/1.json

@defensivedepth
Copy link
Contributor Author

My mistake, I pushed to the wrong branch. Still cleaning up the test files.

@defensivedepth
Copy link
Contributor Author

Local tests are now passing. I had to edit a few of the source test files as they had different hostnames - normalized them all to DESKTOP-4AR7BIA

@defensivedepth
Copy link
Contributor Author

defensivedepth commented Feb 26, 2021
edited

For those who may need to bulk edit these test source files in the future (Will need to tweak for your use case):

(Thanks to @mike-myers-tob for getting me started on figuring this out)

XML: xmlstarlet edit -L --subnode "/Event/System" -t elem -n "Computer" -v "DESKTOP-4AR7BIA" ./input/*/*.xml

JSON: for f in output/*/*.json; do jq '. += {"computer_name": "DESKTOP-4AR7BIA"}' ${f} | sponge ${f}; done;

@theopolis theopolis merged commit 77361f1 into osquery:master Feb 27, 2021
aikuchin pushed a commit to aikuchin/osquery that referenced this pull request Jul 11, 2023
@mogrein
Merge pull request osquery#15 in CLOUD/osquery from sync/osquery-4.7.…
f3dc598 
…0 to master

* commit '943935789dbfb03b55db1471ed1595e1fd4ffe23': (119 commits)
  seccomp migrations
  Add 4.7.0 CHANGELOG (osquery#6985)
  ATC fails because journal_mode pragma is blocked by sqlite authorizer (osquery#6999)
  Always use BIGINT macro for 'long long' data (osquery#6986)
  chrome_extensions: Refactor the table, add tests (osquery#6780)
  Remove extraneous lenses directory for augues on macOS (osquery#6998)
  Update the info about macOS CI (osquery#6988)
  Make Group ID columns consistent across Windows tables (osquery#6987)
  Fix mem leak regression with Windows' sids API (osquery#6984)
  Fix error in process_open_files around stoi vs stoul (osquery#6983)
  Remove hash and yara table from fuzz harnesses (osquery#6972)
  Augeas Table: Don't autoload system lenses (osquery#6980)
  Augeas Table: Fix output bug (osquery#6981)
  Add concat and concat_ws functions (osquery#6927)
  Copy JSON objects to avoid MemoryPool buildup (osquery#6957)
  Fix CODEOWNERS syntax to allow committers and TSC (osquery#6975)
  augeas: Clear aug pointer on error (osquery#6973)
  Adds support for the computer field in Windows Eventlogs (osquery#6952)
  Add Shellbags table (osquery#6949)
  Implementation of VM metadata table for Yandex.Cloud (osquery#6961)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theopolis theopolis theopolis approved these changes

@mike-myers-tob mike-myers-tob mike-myers-tob approved these changes

Assignees
No one assigned
Labels
events Related to osquery's evented tables or eventing subsystem virtual tables Windows
Projects
None yet
Milestone
4.7.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@defensivedepth @mike-myers-tob @directionless @theopolis