Share via


ACS Event Transformation Demystified

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.

 

Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver). This file is pointed to in the collector’s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).

The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.

The collector (as explained elsewhere) also reads AcsConfig.xml to get its persistent state and configuration for all known agents, to know what logs/sources to collect for each agent/agent group, etc. This is all read into in-memory state for each agent.

At connect time, the agent sends version information- what the OS and agent version and service pack are, etc. The collector first looks in its in-memory agent state to see what configuration applies to the agent. Then it looks in its transformation tables and extracts the appropriate version-specific transformation instructions for the events that the collector is configured to collect from that agent. Then it packages these instructions and sends them to the agent.

The agent starts reading events, transforming them according to its instructions from the collector, and sending the transformed events to the collector. The collector finishes the transformation, services real-time subscriptions and loads the events into the database as appropriate.

If the agent encounters an event that is it configured to send (by log/source) but does not have transformation instructions for, then it simply builds a copy the event string for string and sends the copy of the event to the collector as an “unschematized” event. The collector will handle this event without problems but will not extract non-header user fields (no primary/client/target user fields) and will not add string type information.

I’ll take Windows Server 2003 (build 3790), Event Log: Security, Event Source: Security, Event ID: 644 as an example.

Here’s the WS03 schema for 644 (excerpt from %systemroot%\system32\security\adtserver\EventSchema.xml in the path “Schema\Log[@Name=’Security’\Source[@Name=’Security’]\Version[@MinBuild=’3790’]\Event[@SourceId=’644’]”).

                        <Event SourceId="644" SourceName="SE_AUDITID_ACCOUNT_AUTO_LOCKED">

                              <Call Name="AppendString" Param1="1" Param2="0" />

                              <Call Name="AppendString" Param1="3" Param2="0" />

                              <Call Name="AppendString" Param1="2" Param2="0" />

                              <Call Name="AppendString" Param1="4" Param2="0" />

                              <Call Name="AppendString" Param1="5" Param2="0" />

                              <Call Name="AppendString" Param1="6" Param2="0" />

                              <Call Name="AppendSidFromNames" Param1="4" Param2="5" />

                              <Call Name="AppendNamesFromSid" Param1="3" Param2="0" />

                              <Param TypeName="typeUserDn" />

                              <Param TypeName="typeComputerName" />

                              <Param TypeName="typeTargetSid" />

                              <Param TypeName="typeClientUser" />

                              <Param TypeName="typeClientDomain" />

                              <Param TypeName="typeClientLogonId" />

                              <Param TypeName="typeClientSid" />

                              <Param TypeName="typeTargetUser" />

                              <Param TypeName="typeTargetDomain" />

                        </Event>

The instructions are all applied in order. “Call” instructions are executed agent-side; “Param” instructions are executed server-side.

These instructions can be translated as:

·         Take string 1 from the original event and make it string 1 in the new event. It is of type “typeUserDn”.

·         Take string 3 from the original event and make it string 2 in the new event. It is of type “typeComputerName”. Note that we are doing reordering here by appending original string #3 before original string #2. Nifty, eh?

·         Take string 2 from the original event and make it string 3 in the new event. It is of type “typeTargetSid”.

·         Take string 4 from the original event and make it string 4 in the new event. It is of type “typeClientUser”.

·         Take string 5 from the original event and make it string 5 in the new event. It is of type “typeClientDomain”.

·         Take string 6 from the original event and make it string 6 in the new event. It is of type “typeClientLogonId”.

·         Take string 4 from the original event and treat is as a user name, and take string 5 from the original event and treat it as a domain name, look up the associated SID and make it string 7 in the new event. The new string is of type “typeClientSid”.

·         Take string 3 from the new event, treat it as a SID, look up the user/domain name associated with it and append the user name as string 8 to the new event and the domain name as string 9 to the new event. String 8 is of type “typeTargetUser” and String 9 is of type “typeTargetDomain”.

See the reordering? Now here is an instance of the event with the original event data. If you’re not familiar with the XML, it’s the XML output of Crimson, the new eventlog service introduced in Vista/WS08, but this is a WS03 [pre-Crimson] machine; we're looking at a saved event log (evt) file.

<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Security" />

    <EventID Qualifiers="0">644</EventID>

    <Level>0</Level>

    <Task>7</Task>

    <Keywords>0xa0000000000000</Keywords>

    <TimeCreated SystemTime="2007-12-17T15:50:14.000Z" />

    <EventRecordID>28003981</EventRecordID>

    <Channel>C:\Users\ericf\AppData\Local\Temp\SERVER34_SecEvts.evt</Channel>

    <Computer>SERVER34</Computer>

    <Security UserID="S-1-5-18" />

  </System>

  <EventData>

    <Data>user09</Data> // String 1 – user name

    <Data>SERVER34</Data> // String 2 – looks like a machine name, confirmed by string 4

    <Data>%{S-1-5-21-5998314728-109421381-169156293-611111}</Data> // String 3 – definitely a SID

    <Data>SERVER34$</Data> // String 4 – definitely an account name (machine account)

    <Data>CONTOSO</Data> // String 5 – looks like a domain name

    <Data>(0x0,0x3E7)</Data> // String 6 – definitely a logon ID

    <Data>-</Data> // String 7 – empty null string at the end of the event (ignored by ACS)

  </EventData>

</Event>

 

When the event arrives at the collector, type information is applied, and then the user fields (typePrimary*, typeClient*, typeTarget*) are extracted from the string data section and the strings that are left are re-numbered starting at 1 (no reordering occurs).

Here’s a chart of what the event looks like at the various points in the system. The changes at each step are shown in red.

Client User

Client User

typeClientUser

Client Domain

Client Domain

typeClientDomain

Client Sid

Client Sid

typeClientSid

Client Login Id

Client Login Id

typeClientLogonId

Target User

Target User

typeTargetUser

Target Domain

Target Domain

typeTargetDomain

Target Sid

Target Sid

typeTargetSid

String01

typeUserDn

String01

typeUserDn

String01

typeUserDn

String02

typeTargetSid

String02

typeComputerName

String02

typeComputerName

String03

typeComputerName

String03

typeTargetSid

String03

String04

typeClientUser

String04

typeClientUser

String04

String05

typeClientDomain

String05

typeClientDomain

String05

String06

typeClientLogonId

String06

typeClientLogonId

String06

String07

String07

typeClientSid

String07

String08

String08

typeTargetUser

String08

String09

String09

typeTargetDomain

String09

To finish off a description of transformation, there are 7 transformation functions, each of which can optionally take 2 integers as parameters. Note that there is no “destination event” field specifier; all references are only to the original event. That’s because when constructing the destination event, any data added to the event is always appended- it is constructed from beginning to end- so the implicit destination field is “at the end of the event as it is now”.

Function

Parameter 1

Parameter 2

Description

AppendString

Reference to a string parameter in the source event in the event log

Unused

Appends the referenced string to the event which will be sent to the collector

AppendStringFromTable

Reference to a constant string in the statically defined <Strings> table (1-based) in the relevant Source\Version element in EventSchema.xml

Unused

Appends the referenced constant string to the event which will be sent to the collector

AppendProcessNameFromPid

Reference to a string parameter in the source event in the event log (source string is expected to be a numeric process ID)

Unused

Looks up the process image path name for the referenced PID and appends it to the event which will be sent to the collector

AppendTimeFromDatetime

Unused

Unused

Not Implemented/No Action

AppendSidFromNames

Reference to a string parameter in the source event in the event log (source string is expected to be a user name)

Reference to a string parameter in the source event in the event log (source string is expected to be a domain name)

Looks up the SID for the account represented by the specified user and domain names, and appends the SID to the event which will be sent to the collector

AppendNamesFromSid

Reference to a string parameter in the source event in the event log (source string is expected to be a security ID)

Unused

Looks up the user name and domain name for the account represented by the specified SID, and appends the user name and the domain name as separate strings to the event which will be sent to the collector

AppendNumber

Unused

Unused

Not Implemented/No Action

Out of range params cause the transformation instruction to be ignored and skipped. Non-integer params or other XML formatting/malformation problem (including non-UTF8 formatting) cause an EventSchema.xml parsing error at collector startup which in turn causes collector startup failure.

So that’s ACS transformation in a nutshell. I hope this helps you guys understand ACS functionality a little better.

Shortly I will finish my write-up on AcsConfig.xml but that is a simple file and not too hard to figure out if you are into experimentation.

Here are some cool things that you can try with the event schema file if you are adventurous:

1.       Drop fields. We have modified eventschema.xml successfully to cause it not to collect certain fields (e.g. logon GUIDs) of certain events:

                              <Call Name="AppendString" Param1="1" Param2="0" />

                              <Call Name="AppendString" Param1="2" Param2="0" />

                              <Call Name="AppendString" Param1="3" Param2="0" />

// try deleting a line here

// or, to preserve ordering of subsequent strings

// try replacing “AppendString” with “AppendStringFromTable (param1=1)”

                              <Call Name="AppendString" Param1="4" Param2="0" />

                              <Call Name="AppendString" Param1="5" Param2="0" />

                              <Call Name="AppendString" Param1="6" Param2="0" />

2. Add an event source. Some caveats are:

·         You must have a unique, well-formed GUID for the new source

·         You have to get events of the new source into the log (try “AuthzReportSecurityEvent” from MSDN)

·         You have to modify AcsConfig.xml to tell the agent(s) to collect the new source

NB I have used the C/C++ comment syntax throughout this post but note that ACS does not support either C/C++ nor XML style comments in the XML config files it uses