ACS Event Transformation Demystified

Article
02/27/2008

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS.

Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. Transformation instructions are all stored on the collector in a file called EventSchema.xml which is in the AdtServer directory (%windir%\system32\security\adtserver). This file is pointed to in the collector’s registry and is read during startup of the collector service; failure to successfully read and parse this file at startup is a fatal error for the collector (the debug log will complain about parsing).

The collector reads EventSchema.xml and builds in-memory binary tables of event transformation instructions and event string types by OS version/event log/event source.

The collector (as explained elsewhere) also reads AcsConfig.xml to get its persistent state and configuration for all known agents, to know what logs/sources to collect for each agent/agent group, etc. This is all read into in-memory state for each agent.

At connect time, the agent sends version information- what the OS and agent version and service pack are, etc. The collector first looks in its in-memory agent state to see what configuration applies to the agent. Then it looks in its transformation tables and extracts the appropriate version-specific transformation instructions for the events that the collector is configured to collect from that agent. Then it packages these instructions and sends them to the agent.

The agent starts reading events, transforming them according to its instructions from the collector, and sending the transformed events to the collector. The collector finishes the transformation, services real-time subscriptions and loads the events into the database as appropriate.

If the agent encounters an event that is it configured to send (by log/source) but does not have transformation instructions for, then it simply builds a copy the event string for string and sends the copy of the event to the collector as an “unschematized” event. The collector will handle this event without problems but will not extract non-header user fields (no primary/client/target user fields) and will not add string type information.

I’ll take Windows Server 2003 (build 3790), Event Log: Security, Event Source: Security, Event ID: 644 as an example.

Here’s the WS03 schema for 644 (excerpt from %systemroot%\system32\security\adtserver\EventSchema.xml in the path “Schema\Log[@Name=’Security’\Source[@Name=’Security’]\Version[@MinBuild=’3790’]\Event[@SourceId=’644’]”).

</Event>

The instructions are all applied in order. “Call” instructions are executed agent-side; “Param” instructions are executed server-side.

These instructions can be translated as:

· Take string 1 from the original event and make it string 1 in the new event. It is of type “typeUserDn”.

· Take string 3 from the original event and make it string 2 in the new event. It is of type “typeComputerName”. Note that we are doing reordering here by appending original string #3 before original string #2. Nifty, eh?

· Take string 2 from the original event and make it string 3 in the new event. It is of type “typeTargetSid”.

· Take string 4 from the original event and make it string 4 in the new event. It is of type “typeClientUser”.

· Take string 5 from the original event and make it string 5 in the new event. It is of type “typeClientDomain”.

· Take string 6 from the original event and make it string 6 in the new event. It is of type “typeClientLogonId”.

· Take string 4 from the original event and treat is as a user name, and take string 5 from the original event and treat it as a domain name, look up the associated SID and make it string 7 in the new event. The new string is of type “typeClientSid”.

· Take string 3 from the new event, treat it as a SID, look up the user/domain name associated with it and append the user name as string 8 to the new event and the domain name as string 9 to the new event. String 8 is of type “typeTargetUser” and String 9 is of type “typeTargetDomain”.

See the reordering? Now here is an instance of the event with the original event data. If you’re not familiar with the XML, it’s the XML output of Crimson, the new eventlog service introduced in Vista/WS08, but this is a WS03 [pre-Crimson] machine; we're looking at a saved event log (evt) file.

<Channel>C:\Users\ericf\AppData\Local\Temp\SERVER34_SecEvts.evt</Channel>

<Computer>SERVER34</Computer>

</System>

<Data>user09</Data> // String 1 – user name

<Data>SERVER34</Data> // String 2 – looks like a machine name, confirmed by string 4

<Data>%{S-1-5-21-5998314728-109421381-169156293-611111}</Data> // String 3 – definitely a SID

<Data>SERVER34$</Data> // String 4 – definitely an account name (machine account)

<Data>CONTOSO</Data> // String 5 – looks like a domain name

<Data>(0x0,0x3E7)</Data> // String 6 – definitely a logon ID

<Data>-</Data> // String 7 – empty null string at the end of the event (ignored by ACS)

</EventData>

</Event>

When the event arrives at the collector, type information is applied, and then the user fields (typePrimary*, typeClient*, typeTarget*) are extracted from the string data section and the strings that are left are re-numbered starting at 1 (no reordering occurs).

Here’s a chart of what the event looks like at the various points in the system. The changes at each step are shown in red.



		Client User		Client User	typeClientUser
		Client Domain		Client Domain	typeClientDomain
		Client Sid		Client Sid	typeClientSid
		Client Login Id		Client Login Id	typeClientLogonId
		Target User		Target User	typeTargetUser
		Target Domain		Target Domain	typeTargetDomain
		Target Sid		Target Sid	typeTargetSid
String01	typeUserDn	String01	typeUserDn	String01	typeUserDn
String02	typeTargetSid	String02	typeComputerName	String02	typeComputerName
String03	typeComputerName	String03	typeTargetSid	String03
String04	typeClientUser	String04	typeClientUser	String04
String05	typeClientDomain	String05	typeClientDomain	String05
String06	typeClientLogonId	String06	typeClientLogonId	String06
String07		String07	typeClientSid	String07
String08		String08	typeTargetUser	String08
String09		String09	typeTargetDomain	String09

To finish off a description of transformation, there are 7 transformation functions, each of which can optionally take 2 integers as parameters. Note that there is no “destination event” field specifier; all references are only to the original event. That’s because when constructing the destination event, any data added to the event is always appended- it is constructed from beginning to end- so the implicit destination field is “at the end of the event as it is now”.

Function	Parameter 1	Parameter 2	Description
AppendString	Reference to a string parameter in the source event in the event log	Unused	Appends the referenced string to the event which will be sent to the collector
AppendStringFromTable	Reference to a constant string in the statically defined <Strings> table (1-based) in the relevant Source\Version element in EventSchema.xml	Unused	Appends the referenced constant string to the event which will be sent to the collector
AppendProcessNameFromPid	Reference to a string parameter in the source event in the event log (source string is expected to be a numeric process ID)	Unused	Looks up the process image path name for the referenced PID and appends it to the event which will be sent to the collector
AppendTimeFromDatetime	Unused	Unused	Not Implemented/No Action
AppendSidFromNames	Reference to a string parameter in the source event in the event log (source string is expected to be a user name)	Reference to a string parameter in the source event in the event log (source string is expected to be a domain name)	Looks up the SID for the account represented by the specified user and domain names, and appends the SID to the event which will be sent to the collector
AppendNamesFromSid	Reference to a string parameter in the source event in the event log (source string is expected to be a security ID)	Unused	Looks up the user name and domain name for the account represented by the specified SID, and appends the user name and the domain name as separate strings to the event which will be sent to the collector
AppendNumber	Unused	Unused	Not Implemented/No Action

Out of range params cause the transformation instruction to be ignored and skipped. Non-integer params or other XML formatting/malformation problem (including non-UTF8 formatting) cause an EventSchema.xml parsing error at collector startup which in turn causes collector startup failure.

So that’s ACS transformation in a nutshell. I hope this helps you guys understand ACS functionality a little better.

Shortly I will finish my write-up on AcsConfig.xml but that is a simple file and not too hard to figure out if you are into experimentation.

Here are some cool things that you can try with the event schema file if you are adventurous:

1. Drop fields. We have modified eventschema.xml successfully to cause it not to collect certain fields (e.g. logon GUIDs) of certain events:

// try deleting a line here

// or, to preserve ordering of subsequent strings

// try replacing “AppendString” with “AppendStringFromTable (param1=1)”

2. Add an event source. Some caveats are:

· You must have a unique, well-formed GUID for the new source

· You have to get events of the new source into the log (try “AuthzReportSecurityEvent” from MSDN)

· You have to modify AcsConfig.xml to tell the agent(s) to collect the new source

NB I have used the C/C++ comment syntax throughout this post but note that ACS does not support either C/C++ nor XML style comments in the XML config files it uses

ACS Event Transformation Demystified

Additional resources