1,280 questions
1
vote
1
answer
210
views
Need help understanding a Cortex XDR alert on DCSync/MSOL Account and a legitimate PowerShell block
(Note: I wanted to use cortex-xdr and azure-ad tags but lacked the required reputation. Let me know if this post should be moved to Security StackExchange or retagged accordingly.)
I’m currently ...
- 11
0
votes
0
answers
79
views
How to create a custom event channel that a user mode app and a kernel mode driver can both write to?
I want to create a custom event channel to which an executable running as a limited user and a kernel mode driver both are able to write to it. How can I do this?
Following are the things I tried but ...
- 71
0
votes
1
answer
70
views
NXlog Kerberos Principal not found in keytab
NXlog im_wseventing Request ticket server HTTP/domain@REALM not found in keytab
Currently I am working on using nxlog to collect windows event logs to my Ubuntu 22 desktop using Kerberos ...
- 3
1
vote
0
answers
43
views
How to add reason and reason code to event log using powershell or any other way?
Would like to know how the reason and a different reason code can be added to the event log preferably using powershell?
Powershell script used: Restart-Computer -ComputerName (Read-Host "...
- 11
0
votes
0
answers
68
views
Unable to add new event ids in wazuh
I have installed wazuh and want to configure it so that the event IDs 4800, 4801 are collected. I read about hundred of articles on the web on how to add new event ids. I edited the ossec.conf file on ...
- 70
0
votes
1
answer
139
views
How can I suppress multiple data elements in an EventViewer XPath query?
I want to filter the Windows event log for events that aren't generated by the KCC or from two IP addresses. This works for the KCC filter:
<QueryList>
<Query Id="0" Path="...
- 1,632
0
votes
0
answers
37
views
What is the correct way to update WEL manifest?
Few month ago I switched my program event logging from mc files to manifest. And I don't designed update process, so now I have an issue. During update process installer trying to register manifest ...
- 389
0
votes
0
answers
118
views
Serilog not able to recognize correct Event Ids when writing to the Event Log
I have been working with Serilog for a week now trying to get it to log to the Windows Event Log unsuccessfully. I should qualify this. I can write to the log, but the message that actually gets ...
- 55
1
vote
2
answers
493
views
LoggerMessage and Event Log IDs
Using .NET 9, I have created a Windows Service following Microsoft tutorial. As per this tutorial, my code looks like:
public sealed class WindowsBackgroundService (
MyService _myService,
...
- 143k
0
votes
0
answers
57
views
Long XPATH / strctured XML filter has a huge performance hit
I have been trying to minimize the logs sent to SIEM by filtering them at the source.
You can find the filter I used below. It is long. Instead of using a long <Select> statement with inverted ...
- 182
0
votes
0
answers
63
views
What field in event log manifest become a "Source" in Event Logging window?
I wrote event log manifest file with provider and channel. Now, I have to split it to different event sources, and now I am a little bit confused how to do this. What part of manifest becomes a source ...
- 389
1
vote
1
answer
112
views
Set placeholder %2, %3, ... in Windows Event Log with PowerShell
Background
To write error logs to Windows Event Viewer in PowerShell script, I've found a suitable source Application Error and event ID 1000.
When you call Write-EventLog -LogName "Application&...
- 2,304
1
vote
1
answer
96
views
How to subscribe to Event from Microsoft-Windows-NetworkProfile/Operational using WMI
I am trying to subscribe to Event 10000 in the Microsoft-Windows-NetworkProfile/Operational log using WMI, similar to how I am subscribing to events in the "Windows Logs/Application" log. ...
0
votes
1
answer
45
views
What prevent Windows Vista event log viewer from showing events?
I developed manifest file for windows event log logging, and it is standard list of categories and events. It working great on Win 7+, but on Vista it shows strange window:
I tried to find some ...
- 389
1
vote
1
answer
185
views
Get a list of available `-LogName` and `-Source` for `Write-EventLog` without the administrator privilege
Background
I want to write error messages to the Windows Event Log in a PowerShell script with Write-EventLog.
I don't have administrator privilege in the runtime environment, so I can't run New-...
- 2,304
1
vote
0
answers
143
views
How do I create Windows custom event logs?
I need to create custom event logs like its done by OpenSSH (see screenshot).
I tried to add registry keys manually. Then I found the file:
https://github.com/PowerShell/openssh-portable/blob/...
- 522
0
votes
0
answers
90
views
How to effectively monitor process creation using python in Windows ? Currently missing out short lived processes
My aim: I have been trying to continuously monitor process creation using python (without a lot of pre-requisites) but I am not able to capture short lived processes. I want this python script to run ...
0
votes
1
answer
159
views
Reading remote event logs, using c# .net core code, running on a linux machine
I'm using c# .net core 8.0 and I need to be able to read events from a remote windows event log and filter them by log name ("Security" in my case), event id and creation datetime. The thing ...
- 560
1
vote
2
answers
441
views
XPath to select EventLog record where source contains string
I am writing an XPath query string to select records from the Windows Event Log where the Event source contains a particular string. I have a version which performs an exact match where the Path ...
0
votes
1
answer
40
views
Auto-generated manifest.h does not include ProviderGuid value
I am attempting to compile an instrumentation manifest in order to build a manifest-based Windows Event Log provider. I expect the compiled manifest.h file to include a ProviderGuid symbol, as the ...
- 5,092
0
votes
1
answer
225
views
How to configure NLog to log only Errors in the Windows syslog?
I'm trying to log only Errors into the Windows syslog (events viewer), I tried many solutions but none of them run as expected. I still see warning messages in the Windows syslog.
It's an Asp.Net Core ...
- 657
1
vote
1
answer
216
views
Eventlog : EventWrite not writing data to EventLog
I am trying to Write EventData(C Struct like) to Application Eventlog using "EventWrite".
I don't see any Log written to EventLog(Application)
I am using the below sprovider.mc file
...
- 101
-2
votes
1
answer
207
views
How to control text in an EventLog event
I'm trying to cheat with the EventLog in a C++ application. I have no message file; I simply use RegisterEventSource() and ReportEvent() in a sequence.
#include <windows.h>
#include <stdio.h&...
- 479
0
votes
3
answers
192
views
I want to know the name of the value for properties[0] in the eventlog
I want to know the name of the value for properties[0] in the eventlog : powershell code
$log = Get-WinEvent -FilterHashtable @{
Logname ='System'
ProviderName = 'Microsoft-Windows-Power-...
- 13
0
votes
1
answer
44
views
C# cannot write to EventLog when Source is defined
I am trying to write to the Windows' EventLog > Windows Logs > Application, I am pretty sure I've created everything that is needed, but when writing to it, it just throws an Unknown error (...
- 3,119
0
votes
1
answer
282
views
Event View Source Not Found When Creating an Event with Powershell
Trying to create simple events with ID's greater than 1000 to test a notification system using powershell.
Write-EventLog –LogName System –Source FailoverClustering –EntryType Error –EventID 1793 –...
- 334
0
votes
0
answers
46
views
Windows EventLog parsing
I am parsing event log records to detect various power states. One state in particular gives me a problem - unexpected power loss (id 6008).
The event has 2 properties inside - DATE and TIME stored as ...
- 334
1
vote
1
answer
220
views
R bupar: Get trace for each case
I use the bupar package to do process analysis. Suppose my data stored in a csv file looks like this (the file is already sorted properly by caseid and timestamp):
STATUS;timestamp;CASEID
created;16-...
- 93
0
votes
0
answers
61
views
WMI with Python
I like to get the last entry from SystemEventLog with EventCode 6006. With this Query:
SELECT * FROM Win32_NTLogEvent WHERE Logfile='System' AND EventCode='6006'
I get all the 6006 Events in the ...
- 452
0
votes
0
answers
156
views
Reading and formatting events from Windows Event Log
The following code reads and prints the events from the Windows Event Log of the local computer.
import java.io.UnsupportedEncodingException;
import java.util.Date;
import com.sun.jna.platform.win32....
- 26.4k
0
votes
1
answer
78
views
Converting a log.txt file to JSON using python
I am learning Python and have very limited programming knowledge, as a learning project I have a .txt system log that I am trying to convert to JSON.
I want the python program to parse through the ....
- 1
0
votes
0
answers
110
views
How to connect to a specific nested event log in a C# program?
I'm writing a C# program that looks through the Windows event logs for remote desktop login attempts, then reports the logins with a csv of the time, IP addresses, username and domain. I can make it ...
- 19
0
votes
1
answer
123
views
MongoDB: conditional updates to array fields in a single document
Context: I have created a service that deals with users data. I can not modify source and order of data in upstream system (usually it is a partial snapshot of a user or a delta (e.g. user's new post)....
- 387
-1
votes
1
answer
579
views
Get last Windows/PC shutdown time with VBA
Is there a way to get the last shutdown time of Windows with VBA?
I would like to follow the start and the end of the working time. The start of the working time is done, the specified excel file ...
- 43
-1
votes
1
answer
86
views
Strings won't write to the console together in C#
I'm super confused. I wrote a script to extract the time, IP, account name, and account domain from a failed login in the Event Log. Individually, the variables write just fine to the console. But, if ...
- 19
5
votes
1
answer
2k
views
PowerShell: List of all successful logins to the system
Helo,,
How can I read a list of all successful logins on the server via Powershell? The following fields should be output in the list: TimeGenerated, UserName. I'm currently stuck on the following ...
- 273
0
votes
1
answer
1k
views
How to configure a non-default WinRM port? error indicates an unknown GP parameter
I want to set the WinRM listening port to 443
Trying on Windows Server 2012 and 2016
when I run:
Set-Item -Path WSMan:\localhost\listener\listener*\Port -Value 443
I get:
Set-Item : WS-Management ...
- 463
3
votes
3
answers
432
views
C# - EventLogSession.ExportLog method throws EventLogNotFoundException in WPF application
I'm trying to implement a feature in a .NET Framework 4.7.2 WPF application which would allow customers to export their local application event log as part of a diagnostics package. I wrote this ...
- 631
0
votes
2
answers
188
views
ILoggingBuilder AddEventLog Linux compatibility
Does the extension method AddEventLog of Microsoft.Extensions.Logging.ILoggingBuilder does also work when the application runs under a Linux OS or would it cause an exception when there is no Windows ...
- 779
1
vote
0
answers
527
views
C# .Net 7.0 Logger is not working if I define the SourceName and LogName
I've been fighting to get logs working in newer version of .Net.
If I don't set the SourceName and LogName, the log will show up in the windows event viewer as ".Net runtime". If I define ...
- 143
0
votes
1
answer
112
views
how to calculate timestamp of 2 events which are irregularly spaced apart
So I have an event log in which I would like to know the time elapsed between when a is true, and when b is false. then the timestamp difference will be calculated. I would like to know how to search ...
- 3
0
votes
1
answer
125
views
EnterpriseLibrary.Logging severity level setting in app.config
I'm maintaining a windows service that is written a long time ago and the first author has left the company way before I joint.
I want to reduce the eventlog records by leveling up the severity from ...
- 2,004
1
vote
1
answer
2k
views
Diagnose BEX event, exception code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN)
I build a program via the IDE CVI/LabWindows from National Instruments. This program runs fine. I actually include a dll for modbus functionality (libmodbus) that I compiled via Microsoft Visual C++ ...
- 33
1
vote
1
answer
176
views
Create variable from Microsoft Security event ID message for Account Name and Caller Computer Name
I am using PowerShell to pull the most recent event ID for a locked out user using the following code:
Get-WinEvent -FilterHashTable @{LogName="Security"; ID=4740} -MaxEvents 1
Then I turn ...
- 97
0
votes
0
answers
3k
views
Windows logs DCOM error (ID 10028) even though remote connection to IIS works fine in code
We have a Windows service that checks whether an IIS site or application pool is running. The service can check IIS sites on both the local server as well as remote servers. The service is written in ...
- 1
1
vote
1
answer
132
views
Convert spark sql to python spark / Databricks pipeline event logs
I have the following sql statement to query the databricks pipeline event logs and it works.
I tried to rewrite it into a python code, but I failed.
Could somebody provide me any advice? Many thanks!!
...
- 13
0
votes
2
answers
152
views
EventLogQuery invalid
I am trying to retrieve a specific Event by searching for a specific binary token.
Here is what I have:
var queryString = @"*[EventData[Binary='AAAD78D436708349A059D47F0CE766C4']]";
var ...
- 4,222
0
votes
1
answer
451
views
SQL Server error log on changing database compatibility level
We are trying to capture changes to SQL Server database status, such as changes to database compatibility. I'm seeing that in SQL Server 2008 R2, the Event ID 5084 is logged in Windows application log ...
2
votes
0
answers
622
views
Dotnet 7 EventLog - Log to Applications and services instead of Windows Logs Applications
I tried to log via Windows Service created in dotnet 7.
I have appsettings.json
{
"Logging": {
"LogLevel": {
"Default": "Information"
},
&...
- 43
0
votes
1
answer
904
views
How to use EvtQuery() to get multiple events?
I'm following along in the Windows documentation, and maybe I'm doing something wrong, but it would appear that all I have to do to iterate through all of the events is to call EvtNext() until it ...
- 763