Highlighted
andrew.dalbor Outstanding Contributor.
Outstanding Contributor.
637 views

Azure MFA Logs via RADIUS server - custom parser

Hey All,

I am working on setting up a customer parser for some Azure MFA logs that are brokered via a RADIUS server.

The logs originate from a Windows server so they are in a json type format.

I created a key value props file with conditional mapping like normally used for Windows event type parsers.

The issue I have is that the event id generated by these events are all that same ID which makes using the conditional map somewhat difficult.  The events share the same ID but have different messages.

Is it possible for me to regex using a submessage for the conditional mapping to parse the different messages?

Or should I be writing a normal regex to parse the entire message. 

Any help is greatly appreciated.

Thanks!

0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: Azure MFA Logs via RADIUS server - custom parser

Is there no other field that is unique for each of the 4 events, even though it has the same eventID?

Sure submessages are one thing, but conditional mapping might be easier, you can combine standard mapping with conditional mapping, by mapping all the standard fields that is the same for all events, then use conditional mapping for the rest, based on a condition on one of the other fields that might be unique, example:

#Standard mappings
event.deviceEventClassId=EVENTID
event.deviceEventCategory=TYPE

#Conditional mappings
#How many fields has conditions
conditionalmap.count=1
#Which field do we base the condition on
conditionalmap[0].field=event.deviceEventClassId
#How many different conditions do we have
conditionalmap[0].mappings.count=2
#Value for condition one, if it's any of these two events, set parameter
conditionalmap[0].mappings[0].values=532,534
#set parameter
conditionalmap[0].mappings[0].event.sourceAddress=PARAMETER
#If condition number two, if the above is not true, but this is, then set the other parameter instead
conditionalmap[0].mappings[1].values=533
#set parameter
conditionalmap[0].mappings[1].event.sourceUserName=PARAMETER

If that doesn't fix it, let us know the 4 events you have, maybe give an example of each of them, so maybe we can help you out!

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
andrew.dalbor Outstanding Contributor.
Outstanding Contributor.

Re: Azure MFA Logs via RADIUS server - custom parser

Thanks for the response Marius.

The issue as I have stated is that there is only one event id generated by Windows. So there is nothing unique to parse submessages on. My original idea was to use keywords in the message to trigger the submessages on. Because it is a conditional mapping based on windows event xml I wasnt quite sure how to achieve this.

Here is an example of 3 events with just the "msg" portion of the xml generated by the windows event.

"msg":"CID: xxxx-xxxx-xxxx-xxxx : Access Rejected for user xxxx with Azure MFA response: PhoneAppNoResponse and message: Authentication method failed.,,,xxxx-xxxx-xxxx-xxxx"
"msg":" CID: xxxx-xxxx-xxxx-xxxx : Access Accepted for user xxxx with Azure MFA response: Success and message:  session xxxx-xxxx-xxxx-xxxx"}}
"msg":" CID: xxxx-xxxx-xxxx-xxxx :Challenge requested in Authentication Ext for User xxxx with state xxxx-xxxx-xxxx-xxxx"

All 3 of these events share an identical event ID set by windows.

Here is an example straight from windows event viewer

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-AzureMfa-AuthZ" Guid="{xxxx-xxxx-xxxx-xxxx}" />
  <EventID>1</EventID>
  <Version>0</Version>
  <Level>4</Level>
  <Task>0</Task>
  <Opcode>0</Opcode>
  <Keywords>0x8000000000000000</Keywords>
  <TimeCreated SystemTime="2018-10-26T14:58:02.017131900Z" />
  <EventRecordID>14391</EventRecordID>
  <Correlation />
  <Execution ProcessID="xxxx" ThreadID="xxxx" />
  <Channel>AuthZOptCh</Channel>
  <Computer>xxxx.xxxx.xxx</Computer>
  <Security UserID="x-x-x-x" />
  </System>
- <EventData>
  <Data Name="msg">CID: xxxx-xxxx-xxxx-xxxx : Access Accepted for user xxxx with Azure MFA response: Success and message: session xxxx-xxxx-xxxx-xxxx</Data>
  </EventData>
  </Event>

 

0 Likes
andrew.dalbor Outstanding Contributor.
Outstanding Contributor.

Re: Azure MFA Logs via RADIUS server - custom parser

bump

0 Likes
Knowledge Partner
Knowledge Partner

Re: Azure MFA Logs via RADIUS server - custom parser

Well...you could always try a combination of __oneOf and __regexToken or __regexTokenNoWarning.

So in other words

event.message=__oneOf(__regexToken([token],[regex]),__regexToken([token],[regex]),__regexToken([token],[regex]),__regexToken([token],(.*)))

0 Likes
Jacek Debski Contributor.
Contributor.

Re: Azure MFA Logs via RADIUS server - custom parser

Hi Andrew,


Any luck with these logs?
I'm facing the same problem with AzureMfa  log, and since I can bypass this with some additional regex parsing, it generates a ton of 'the message [xxxxx] didn't match the regex [regex blablabla]" in connector's log, so I'm looking for some better solution.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.