Microsoft Windows

Owned by Omry Koschitzky
Last updated: Jun 26, 2022 by Noga Aviram (Unlicensed)
2 min read

Background

The Microsoft Windows Servers logs analysis App automatically Collect - Read - Parse - Analyzes - Reports all machine generated log data of the server and presents a comprehensive set of graphs and reports to analyze machine generated data. Use a predefined set of dashboards and widgets to  visualize and address the system software, code written, and infrastructure during development, testing, and production. This Windows logs analysis App helps measure, troubleshoot, and optimize your servers integrity, stability and quality with the several visualization and investigation dashboards.

Steps:

  1. The Microsoft Windows App is running on Application, Security and System standard event logs (*.evtx).
    When adding/editing the logs to XpoLog it is mandatory to apply the correct log type(s) to each of the logs:
    1. windows - all logs that the application will analyze must have windows as a log type.
    2. application - only the Application log must also be configured to have application as a log type.
    3. security - only the Security log must also be configured to have security as a log type.
    4. system - only the System log must also be configured to have system as a log type.
    5. taskscheduler - only the Task Scheduler log must also be configured to have taskscheduler as a log type.
    .
  2. Once the required information is set, on each log click next and edit the log pattern, this step is crucial to the accuracy and deployment of the Microsoft Windows App. Use the following patterns for each of the logs:
    1. Windows Application event log:
      {priority:Type,ftype=type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}{regexp:Account Name,refName=Description;ftype=account name,Account Name:\s+(\S+).*}{regexp:Account Domain,refName=Description;ftype=domain,Account Domain:\s+(\S+).*}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}*;*{text:User,ftype=user}*;*{text:Computer,ftype=computer}*;*{string:Description,ftype=description}
    2. Windows Security event log:
      {priority:Type,ftype=type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}{regexp:Account Name,refName=Description;ftype=account name,Account Name:\s+(\S+).*}{regexp:Account Domain,refName=Description;ftype=domain,Account Domain:\s+(\S+).*}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}{map:Event Description,ftype=event description;refIndex=6,file:knowledge/repository/system/win/map/winEventsMap.prop}{map:Category Description,ftype=category description;refIndex=6,file:knowledge/repository/system/win/map/winEventsCategoryMap.prop}{map:Sub Category,ftype=sub category;refIndex=6,file:knowledge/repository/system/win/map/winEventsSubCategoryMap.prop}*;*{text:User,ftype=user}{regexp:Logon ID,refName=description;ftype=logon id,Logon ID:\s+(\S+).*}*;*{text:Computer,ftype=computer}*;*{regexp:Group Name,ftype=usergroup;refName=Description,Group Name:\s([^\n]+).*}{regexp:Object Name,ftype=object;refName=Description,(New Account:.*Account Name:\s+|Target Account:.*\tAccount Name:\s+|New Computer Account:.*Account Name:\s+|Target Computer:.*Account Name:\s+|Computer Account That Was Changed:.*\tAccount Name:\s+|Member:.*Account Name:\s+CN=|Member:.*Account Name:\s+cn=|New Logon:.*\tAccount Name:\s|Member:.*Account Name:\s|Account That Was Locked Out:.*\tAccount Name:\s|Account Whose Credentials Were Used:.*\tAccount Name:\s)[XPLG_PARAM([^\n,]+)]}{regexp:Source Address,ftype=sourceip;refName=Description,\tSource Address:\s([^\n]+)}{regexp:Destination Address,ftype=targetip;refName=Description,\tDestination Address:\s([^\n]+)}{string:Description,ftype=description}
    3. Windows System event log:
      {priority:Type,ftype=type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}{regexp:Account Name,refName=Description;ftype=account name,Account Name:\s+(\S+).*}{regexp:Account Domain,refName=Description;ftype=domain,Account Domain:\s+(\S+).*}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}*;*{text:User,ftype=user}*;*{text:Computer,ftype=computer}*;*{string:Description,ftype=description}
    4. Windows Task Scheduler event log:
      {priority:Type,ftype=type,Error;Warning;Information;Success;Audit Failure;Audit Success}*;*{timestamp:Date,MM/dd/yyyy HH:mm:ss}*;*{text:Source,ftype=source}*;*{text:Category,ftype=category}*;*{number:Event,ftype=event}{map:Event Description,ftype=event description;refIndex=4,file:knowledge/repository/system/win/map/TaskSchedulerMap.prop}{map:Category Description,ftype=category description;refIndex=3,file:knowledge/repository/system/win/map/TaskSchedulerCategoryMap.prop}{map:Sub Category,ftype=sub category;refIndex=3,file:knowledge/repository/system/win/map/TaskSchedulerSubCategoryMap.prop}*;*{text:User,ftype=user}*;*{text:Computer,ftype=computer}*;*{string:Description,ftype=description}{regexp:ID,refName=Description,\n.*\n([^\u0028]+).*}