We used to use a file monitor utility called Rsyslog to monitor the DCS logs files written locally. These log files would contain a MD5 hash value. Now when the same log comes through DCS and ICDx pulls the event from the SQL database, there are no more MD5 hash values for the same types of events. Here are some sample logs from the file monitor and then from ICDx. We are forwarding events from the ICDx server to an Rsyslog server (syslog) and then to a Splunk instance.
The events from the file monitor:
Jun 12 11:28:26 xxx.xxx.xxx.xxx FileMonitor RealSource:"domain controller" Event ID: DRGW,476269,2020-06-12 11:27:39.000 Z-0000,W,59,R,9625db194b07e6221b7ca0be9c25f26e,REG_CrashOnAuditFail,CrashOnAuditFail_Changed,,NT AUTHORITY\SYSTEM,,C:\Windows\system32\svchost.exe,860,S,\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\CrashOnAuditFail,SET VALUE,,
The events as forwarded by ICDx:
{"device_os_type_id":100,"user_name":"NT AUTHORITY\\SYSTEM","timezone":0,"product_data":{"operation":"SET VALUE","system_state":"R"},"type":"DRGW","seq_num":476269,"uuid":"b0c66130-ac9f-11ea-c000-000000168008","ref_uid":106149235,"product_ver":"6.6.0.772","device_name":"domain controller","collector_device_ip":"xxx.xxx.xxx.xxx","status_id":1,"category_id":5,"id":2,"product_uid":"1F4A6425-878A-482C-9F4D-F6BC49DED2CA","device_time":1591961259000,"policy":{"name":"Domain_Controller_Detection","uid":31,"state_ids":[5],"rule_uid":"REG_CrashOnAuditFail","rule_name":"CrashOnAuditFail_Changed"},"remediated":false,"log_name":"dedicated/DCS_Logs/601f16c0-8984-11ea-d43b-000000000001","device_os_ver":"Server 2012 R2","type_id":8006,"logging_device_post_time":1591961261917,"version":"1.0","product_name":"Symantec Data Center Security","collector_device_name":"icdx server name","log_time":1591961245379,"device_ip":"xxx.xxx.xxx.xxx","actor":{"pid":860,"file":{"name":"svchost.exe","path":"C:\\Windows\\system32\\svchost.exe","folder":"C:\\Windows\\system32"}},"device_uid":1572,"collector_uid":"601f16c0-8984-11ea-d43b-000000000001","event_id":8006002,"reg_value_result":{},"collector_name":"NBN-DCS","severity_id":3,"device_alias_name":"domain controller","time":1591961259000,"reg_value":{"path":"\\HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\CrashOnAuditFail"}}
No filters have been applied to the collector or forwarder on ICDx.
Any idea why the MD5 hash is being pulled?
------------------------------
Mike
WaveRider Security
CA
------------------------------