Example of processing MS AD logs into CEF output
Hi, here is an example of processing MS AD logs into CEF output file, categorizing the various events, e.g., into logon, logoff, create, access, modify, SystemAction, etc.
This is to process the CEF-formatted syslog that is produced by the ArcSight smart-connector for the MS Active Directory server.
I did a mapping of the logged events.
If anyone uses this and "enhances" it, I would appreciate feedback. This can be a community effort, e.g., to grow the list of events that are mapped.
It also is a good example of how to do the sdkrfilereader. for the fixed-format header, and then invoke extraProcessor to sdkkeyvaluefilereader, to process the key=value CEF variable format. (Remove the ".txt" from the filename if you install it for use.)
Re: Example of processing MS AD logs into CEF output
It depends on if you think that cef output is useful as formatted and populated.
Also whether the user's identity is given in a useful way. I.e., if the user is identified as a numeric offset in the Linux password file, that is not globally significant. Or a locally-specified username may not match the value on other systems.
One value-added of what I did is to group the similar records together, e.g., for login-related events.