From 5fc43bc21f61ca0a77f72a4079427dbfc6972fc3 Mon Sep 17 00:00:00 2001 From: Hiroshi Hatake <hiroshi@chronosphere.io> Date: Fri, 21 Jun 2024 17:11:50 +0900 Subject: [PATCH] in_winevtlog: Retrieve actual user account's domain and name Only extracting the SID when is used for normal data cases. For string inserts, we needn't replace with the actual data because replacing with actual user account's domain and its name causes breaking the relationship of corresponding string interpolated message and the element of string inserts. Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io> --- plugins/in_winevtlog/pack.c | 70 ++++++++++++++++++++++++++++++++++--- 1 file changed, 66 insertions(+), 4 deletions(-) diff --git a/plugins/in_winevtlog/pack.c b/plugins/in_winevtlog/pack.c index 18ee97e48d1..0a03e83dbf8 100644 --- a/plugins/in_winevtlog/pack.c +++ b/plugins/in_winevtlog/pack.c @@ -261,20 +261,82 @@ static int pack_filetime(struct winevtlog_config *ctx, ULONGLONG filetime) return 0; } -static int pack_sid(struct winevtlog_config *ctx, PSID sid) +static int pack_sid(struct winevtlog_config *ctx, PSID sid, int extract_sid) { +#define MAX_NAME 256 size_t size; LPWSTR wide_sid = NULL; + DWORD len = MAX_NAME, err = ERROR_SUCCESS; int ret = -1; + SID_NAME_USE sid_type = SidTypeUnknown; + char account[MAX_NAME]; + char domain[MAX_NAME]; + PSID pSID = NULL; + DWORD result_len = 0; + flb_sds_t formatted = NULL; if (ConvertSidToStringSidW(sid, &wide_sid)) { + if (extract_sid == FLB_TRUE) { + if (!LookupAccountSidA(NULL, sid, + account, &len, domain, + &len, &sid_type)) { + err = GetLastError(); + if (err == ERROR_NONE_MAPPED) { + strcpy_s(account, MAX_NAME, "NONE_MAPPED"); + } + else { + flb_plg_warn(ctx->ins, "LookupAccountSid Error %u", err); + } + + goto error; + } + + result_len = strlen(domain) + 1 + strlen(account) + 1; + formatted = flb_sds_create_size(result_len); + if (formatted == NULL) { + flb_plg_warn(ctx->ins, "create result buffer failed"); + + goto error; + } + + _snprintf_s(formatted, result_len, _TRUNCATE, "%s\\%s", domain, account); + + if (size > 0) { + flb_log_event_encoder_append_body_cstring(ctx->log_encoder, formatted); + + ret = 0; + } + else { + flb_plg_warn(ctx->ins, "format domain\\account failed"); + flb_sds_destroy(formatted); + + ret = -1; + + goto error; + } + + LocalFree(wide_sid); + flb_sds_destroy(formatted); + + return ret; + } + else { + ret = pack_wstr(ctx, wide_sid); + LocalFree(wide_sid); + + return ret; + } + + error: ret = pack_wstr(ctx, wide_sid); LocalFree(wide_sid); - return ret; + + return -1; } return ret; +#undef MAX_NAME } static void pack_string_inserts(struct winevtlog_config *ctx, PEVT_VARIANT values, DWORD count) @@ -355,7 +417,7 @@ static void pack_string_inserts(struct winevtlog_config *ctx, PEVT_VARIANT value } break; case EvtVarTypeSid: - if (pack_sid(ctx, values[i].SidVal)) { + if (pack_sid(ctx, values[i].SidVal, FLB_FALSE)) { pack_nullstr(ctx); } break; @@ -601,7 +663,7 @@ void winevtlog_pack_event(PEVT_VARIANT system, WCHAR *message, /* UserID */ ret = flb_log_event_encoder_append_body_cstring(ctx->log_encoder, "UserID"); - if (pack_sid(ctx, system[EvtSystemUserID].SidVal)) { + if (pack_sid(ctx, system[EvtSystemUserID].SidVal, FLB_TRUE)) { pack_nullstr(ctx); }