question

AnishJain-8644 avatar image
0 Votes"
AnishJain-8644 asked AnishJain-8644 edited

Ambiguity in Windows XML Event Logs

Hi Team,

We are working on extracting keys and values from XML event logs for some data analytics applications. While working on designing the parser we came across a different behavior that is causing an issue defining the rules for the parser.

Consider an example event below:

<Event xmlns='http://xyz.pqr.abc/win/2004/08/events/event'>

<System>

<TimeCreated SystemTime='2021-03-11 10:06:17Z' />

</System>

<EventData>

<Data Name='WorkstationName'></Data>

<Data Name='TransmittedServices'>dummyvalue</Data>

</EventData>

</Event>

I have removed other irrelevant fields from the above event.

So what we expect is

Expected: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
Actual: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z

and for (ambiguity is present here)

Expected: EventData.Data.Name.WorkstationName = <empty value>
Actual: EventData.Data.Name = WorkstationName

and for

Expected: EventData.Data.Name.TransmittedServices = dummyvalue
Actual: EventData.Data.Name.TransmittedServices = dummyvalue (since it has value)

But if we define a specific rule then this would not result in what we want, as you can see above.

Is there any way that can help us resolve this issue or any windows document which can define the rules for the format of the event?

Please suggest if there is some way to move ahead here.

Thank You

windows-server-2019
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AnishJain-8644,

It is not clear what technology you are using to query Windows XML Event Logs.
Please add it to you question.

0 Votes 0 ·

@YitzhakKhabinsky-0887

Actually, it's a third-party data analytics tool, which collects the data. But the medium seems irrelevant since the exact logs in event viewer in XML format are received.

0 Votes 0 ·

1 Answer

LimitlessTechnology-2700 avatar image
1 Vote"
LimitlessTechnology-2700 answered AnishJain-8644 edited

Hello,

Thank you for your question..

As far I know you can create custom Query or View using XPath to fetch the event viewer data.

Please have look on below Microsoft article which may help you further.

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata

https://devblogs.microsoft.com/scripting/data-mine-the-windows-event-log-by-using-powershell-and-xml/

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761


If the reply was helpful, please don’t forget to upvote or accept as answer.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@LimitlessTechnology-2700

Thanks a lot for your input. but the issue here is we will be providing an application to the users, and we expect our application to work in the default configuration and don't want to have any additional configuration. So we will get the logs in the format which is the default one, we need to have our parser such that it handles this scenario.

So for example, if we have one rule than it will have ambiguity for this two lines in log(refer the xml above):


Expected: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z
Actual: Event.System.TimeCreated.SystemTime = 2021-03-11 10:06:17Z

and for (ambiguity is present here)

Expected: EventData.Data.Name.WorkstationName = <empty value>
Actual: EventData.Data.Name = WorkstationName

0 Votes 0 ·

Hello,

Thank you for response

As per my experience there is no way you can change this built-in behavior and I think you need to handle it programmatically.

0 Votes 0 ·
AnishJain-8644 avatar image AnishJain-8644 LimitlessTechnology-2700 ·

@LimitlessTechnology-2700
Yes correct, this needs to be handled programmatically, but we are figuring out the best way to handle this. As in If I can be sure that tags that have no </> closing tag, will not contain any data within tag except attributes or maybe the tags within EventData with Data Name which has a specific closing tag, may contain empty value and data as well.

0 Votes 0 ·