Skip to content

Commit

Permalink
in_winevtlog: Retrieve actual user account's domain and name (#8992)
Browse files Browse the repository at this point in the history
Only extracting the SID when is used for normal data cases.
For string inserts, we needn't replace with the actual data because
replacing with actual user account's domain and its name causes
breaking the relationship of corresponding string interpolated message
and the element of string inserts.

Signed-off-by: Hiroshi Hatake <[email protected]>
  • Loading branch information
cosmo0920 authored Jun 21, 2024
1 parent f6c650e commit 2bb1508
Showing 1 changed file with 66 additions and 4 deletions.
70 changes: 66 additions & 4 deletions plugins/in_winevtlog/pack.c
Original file line number Diff line number Diff line change
Expand Up @@ -261,20 +261,82 @@ static int pack_filetime(struct winevtlog_config *ctx, ULONGLONG filetime)
return 0;
}

static int pack_sid(struct winevtlog_config *ctx, PSID sid)
static int pack_sid(struct winevtlog_config *ctx, PSID sid, int extract_sid)
{
#define MAX_NAME 256
size_t size;
LPWSTR wide_sid = NULL;
DWORD len = MAX_NAME, err = ERROR_SUCCESS;
int ret = -1;
SID_NAME_USE sid_type = SidTypeUnknown;
char account[MAX_NAME];
char domain[MAX_NAME];
PSID pSID = NULL;
DWORD result_len = 0;
flb_sds_t formatted = NULL;

if (ConvertSidToStringSidW(sid, &wide_sid)) {
if (extract_sid == FLB_TRUE) {
if (!LookupAccountSidA(NULL, sid,
account, &len, domain,
&len, &sid_type)) {
err = GetLastError();
if (err == ERROR_NONE_MAPPED) {
strcpy_s(account, MAX_NAME, "NONE_MAPPED");
}
else {
flb_plg_warn(ctx->ins, "LookupAccountSid Error %u", err);
}

goto error;
}

result_len = strlen(domain) + 1 + strlen(account) + 1;
formatted = flb_sds_create_size(result_len);
if (formatted == NULL) {
flb_plg_warn(ctx->ins, "create result buffer failed");

goto error;
}

_snprintf_s(formatted, result_len, _TRUNCATE, "%s\\%s", domain, account);

if (size > 0) {
flb_log_event_encoder_append_body_cstring(ctx->log_encoder, formatted);

ret = 0;
}
else {
flb_plg_warn(ctx->ins, "format domain\\account failed");
flb_sds_destroy(formatted);

ret = -1;

goto error;
}

LocalFree(wide_sid);
flb_sds_destroy(formatted);

return ret;
}
else {
ret = pack_wstr(ctx, wide_sid);
LocalFree(wide_sid);

return ret;
}

error:
ret = pack_wstr(ctx, wide_sid);

LocalFree(wide_sid);
return ret;

return -1;
}

return ret;
#undef MAX_NAME
}

static void pack_string_inserts(struct winevtlog_config *ctx, PEVT_VARIANT values, DWORD count)
Expand Down Expand Up @@ -355,7 +417,7 @@ static void pack_string_inserts(struct winevtlog_config *ctx, PEVT_VARIANT value
}
break;
case EvtVarTypeSid:
if (pack_sid(ctx, values[i].SidVal)) {
if (pack_sid(ctx, values[i].SidVal, FLB_FALSE)) {
pack_nullstr(ctx);
}
break;
Expand Down Expand Up @@ -601,7 +663,7 @@ void winevtlog_pack_event(PEVT_VARIANT system, WCHAR *message,
/* UserID */
ret = flb_log_event_encoder_append_body_cstring(ctx->log_encoder, "UserID");

if (pack_sid(ctx, system[EvtSystemUserID].SidVal)) {
if (pack_sid(ctx, system[EvtSystemUserID].SidVal, FLB_TRUE)) {
pack_nullstr(ctx);
}

Expand Down

0 comments on commit 2bb1508

Please sign in to comment.