Community
Participate
Working Groups
Import security log on windows vista platform, the following message shows for an event secuirty log's Message Text in log view as an example: "S-1-5-18 SYSTEM NT AUTHORITY 0x3e7 SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege" However if open the same log on the vista winodws security log view, the following message is displayed: Description: A logon was attempted using explicit credentials. Subject: Security ID: rnq03\build Account Name: build Account Domain: rnq03 Logon ID: 0x230ba Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: CindyJ Account Domain: rnq03 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: cindyj2.torolab.ibm.com Additional Information: cindyj2.torolab.ibm.com Process Information: Process ID: 0x4 Process Name: Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Wrong windows log entry is posted in description: in Log view: S-1-5-21-3120823851-2373186326-498755851-1000 build rnq03 0x142c073 SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege in vista log viewer: Description: Special privileges assigned to new logon. Subject: Security ID: rnq03\build Account Name: build Account Domain: rnq03 Logon ID: 0x142c073 Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege
Increasing the severity to critical because the message data shown in the TPTP Log View when importing the Windows Security Event log on a Vista system is almost unusable. While most of the data is included in the message it is missing the main message text and the data headers.
I have noticed this behaviour when importing a Windows Application Log file as well but on a less frequent basis. Only a few records had unusable message fields.
Increasing priority because it needs to be fixed in order for Windows Security Event log parsing to generate useful message values. It appears EventLogReader is not formatting the event messages.
Deferring this to 4.4 with PMC's approval. It could not be contained in 4.2.2. Bugzilla https://bugs.eclipse.org/bugs/show_bug.cgi?id=170534 has been opened to add an entry to the 4.2 and 4.3 Release Notes for this issue. Assigning this to Cindy to fix in iteration 1.
Added sizing.
This could not be completed in iteration 1. Deferring to complete in iteration 2. Cindy posted to an MSDN forum and received a reply from Microsoft ISV support recommending that the new Windows Event Log API available in Vista be used. See http://forums.microsoft.com/MSDN/showpost.aspx?postid=1190813&siteid=1
I rewrote a new application EventReader2 for vista platform to extract the event logs with new Windows Event Log API. We can create new Adapters for vista windows events which invoke the new application EventReader2 to read the windows event logs and fetch the properties to the temporary log file. However, EventReader2 needs to be built with the visual studio 2005. We need to discuss with build team about this.
Providing more information to clarify Cindy's Comment 8: Because new Vista API's are being used in the new converter program, it must be built on Windows Vista with MS Visual Studio 2005. Therefore a new Vista build environment needs to be set up and integrated with the TPTP build to build this native code.
This is being deferred to iteration 3 with PMC approval because it is too late to do the required build work in iteration 2.
Created attachment 63951 [details] native code using new vista API
Created attachment 63952 [details] adapter files
Created attachment 63953 [details] adapter files
Created attachment 63954 [details] patch for plugin.xml and plugin.properties
update the estimate time, for new creating new adapter and testings
Cindy, the default adapters cannot be moved to the new directory WindowsXP because it would break backward compatiblity with importing from older Agent Controllers. Please leave the existing adapters and files in their original directories. Only the Vista files should be in a new directory.
The patch for plugin.xml contains the following change that should not be included. Please remove it from the patch: - defaultRuntimeValue="1.3.20(static),1.3.26(static),2.0(static),1.3.x(rules),2.0.x(rules)" + defaultRuntimeValue="1.3.20(static),1.3.26(static),2.0(static),1.3.x(rules),2.0.x(rules),test"
Created attachment 64520 [details] adapter files, plugin.xml and plugin.properties
Created attachment 64521 [details] native code
Created attachment 64522 [details] ParserWrapper patch
Code committed to TPTP Head CVS. Note, I did not commit the change to plugin.properties. Instead I hardcoded the value of defaultValue in the logParser extensions because the values should not be translated. This bugzilla will not be resolved until the native code has been included in the build (bugzilla 182970).
dependcy 182970 is fixed.
As of TPTP 4.6.0, TPTP is in maintenance mode and focusing on improving quality by resolving relevant enhancements/defects and increasing test coverage through test creation, automation, Build Verification Tests (BVTs), and expanded run-time execution. As part of the TPTP Bugzilla housecleaning process (see http://wiki.eclipse.org/Bugzilla_Housecleaning_Processes), this enhancement/defect is verified/closed by the Project Lead since this enhancement/defect has been resolved and unverified for more than 1 year and considered to be fixed. If this enhancement/defect is still unresolved and reproducible in the latest TPTP release (http://www.eclipse.org/tptp/home/downloads/), please re-open.
