Windows Group Policy
Windows Group Policy allows the centralized management and administration of user and computer accounts in a Microsoft Active Directory environment.
There are several ways Group Policy logs can be acquired.
-
Group Policy Operational logs and Security logs from Windows Event Log
-
Event Tracing for Windows (ETW)
-
File-based logs found in the file system
This topic covers the methods that can be used to collect these logs with NXLog.
The Group Policy Operational logs are displayed in the Operational object under the Applications and Services > Microsoft > Windows > GroupPolicy directory in Event Viewer.
Group Policy stores some events in the Security channel of the Windows Event Log. These events are related to the access, deletion, modification and creation of objects.
The following configuration uses the im_msvistalog module to collect Group Policy logs from the Security channel. It includes a custom query that will filter for events based on specified EventIDs.
<Input in>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4663 or EventID=5136 or \
EventID=5137 or EventID=5141)]]
</Select>
</Query>
</QueryList>
</QueryXML>
</Input>
The Microsoft-Windows-GroupPolicy
provider supplies Group Policy related logs via an event tracing session that can be collected via ETW.
It gets the logs from the same source as Windows Event Log provides in the previous example, however, the im_etw module is capable of collecting ETW trace data and then forwarding it without saving the data to disk, which results in improved efficiency.
Also, there are slight differences in the level of verbosity, therefore it is worth considering both options and picking the one best suits your environment.
The following configuration uses the im_etw module to collect Group Policy logs from an ETW provider.
<Input in>
Module im_etw
Provider Microsoft-Windows-GroupPolicy
</Input>
Group Policy stores Group Policy Client Service (GPSVC) and Group Policy Management Console (GPMC) logs, in the %windir%\debug\usermode
directory.
The following configuration uses the im_file module to collect GPMC and GPSVC logs from the above-mentioned %windir%\debug\usermode
directory.
Since these logs are encoded in UTF-16LE
, they need to be converted into UTF-8
using the xm_charconv extension module.
<Extension converter>
Module xm_charconv
</Extension>
<Extension json>
Module xm_json
</Extension>
define GroupPolicy /(?x)\w+\((?<PID>[\w\d]{3,4}). \
(?<TID>[\w\d]{3,4})\)\s+ \
(?<time>[\d\:]+)\s+ \
(?<Message>.*)/
<Input in>
Module im_file
File 'C:\Windows\debug\usermode\gpsvc.log'
File 'C:\Windows\debug\usermode\gpmc.log'
<Exec>
#Query the current filename
if file_name() =~ /^.*\\(.*)$/ $FileName = $1;
# Convert character encoding from UTF-16LE to UTF-8
$raw_event = convert($raw_event, 'UTF-16LE', 'UTF-8');
#Parse $raw_event
if $raw_event =~ %GroupPolicy%
#Query year, month and day details from the current system
$date = year(now()) + "-" + month(now()) + "-" + day(now());
#Parse the $date and $time, merge to $EventTime field
$EventTime = parsedate($date + " " + $time);
#Delete unnecessary fields
delete($date);
delete($time);
#Format to_json();
to_json();
</Exec>
</Input>
GPMC(1a1c.1a20) 19:04:10:376 CGPONode::~CGPONode: Destroying object 0x228cf90 \
with nodedeletedflag 0x0
{
"EventReceivedTime": "2019-07-20T15:06:13.690052+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"FileName": "gpmc.log",
"Message": "CGPONode::~CGPONode: Destroying object 0x228cf90 with nodedeletedflag 0x0",
"PID": "1a1c",
"TID": "1a20",
"EventTime": "2019-07-20T19:04:10.000000+02:00"
}