Details
-
New Feature
-
Status: To Do
-
Minor
-
Resolution: Unresolved
-
None
-
None
Description
Create a parser for the Active Directory telemetry source. This data source has 3 formats that should be parsed as specified below:
Required Active Directory fields:
dcName
admonEventType
description
distinguishedName
DC
CN
whenChanged
whenCreated
memberOf
userAccountControl
Sample Active Directory log message:
04/11/2016 17:00:03.182
dcName=wewewew.google.com
admonEventType=Update
Names:
objectCategory=CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=google,DC=com
name=CRA3
distinguishedName=CN=CRA,CN=AzRoleObjectContainer-f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com
cn=CRA
Object Details:
objectGUID=dd4fb895-3672-4f0c-bd73-f41f05205f37
whenChanged=05:00.03 PM, Mon 04/11/2016
whenCreated=04:59.49 PM, Mon 04/11/2016
objectClass=top|msDS-AzRole
Event Details:
uSNChanged=1645647639
uSNCreated=1645647635
instanceType=4
Additional Details:
msDS-AzApplicationData=ptype=g
msDS-TasksForAzRole=CN=role-Unix Sysadmin,CN=AzTaskObjectContainer-636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com
msDS-MembersForAzRole=CN=PAWS_ENVPR_DDEPROD_ADM,OU=Bigdata,OU=Groups,DC=google,DC=com
dSCorePropagationData=16010101000000.0Z
showInAdvancedViewOnly=TRUE
Data after parsing:
{ "timestamp": "April 11th 2016 17:00:03 (NOTE: Timezone unknown. Solve for this)", "hostname": "wewewew", "dcName": "wewewew.google.com", "admonEventType": "Update", "names.objectCategory": "CN=ms-DS-Az-Role,CN=Schema,CN=Configuration,DC=google,DC=com", "names.name": "CRA", "names.distinguishedName": "CN=CRA,CN=AzRoleObjectContainer-f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=f2c06b86-f897-4ca4-ac5e-2762c25c5da4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com", "names.cn": "CRA", "object.objectGUID": "dd4fb895-3672-4f0c-bd73-f41f05205f37", "object.whenChanged": "05:00.03 PM, Mon 04/11/2016", "object.whenCreated": "04:59.49 PM, Mon 04/11/2016", "object.objectClass": "top|msDS-AzRole", "event.uSNChanged": "1645647639", "event.uSNCreated": "1645647635", event.instanceType": "4", "additional.msDS-AzApplicationData": "ptype=g", "additional.msDS-TasksForAzRole": "CN=role-Unix Sysadmin,CN=AzTaskObjectContainer-636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=636cb236-cdb1-443b-bfb3-7683dd85b2f4,CN=Authorization,CN=Corporate,OU=Zones,OU=UNIX,DC=google,DC=com", "additional.msDS-MembersForAzRole": "CN=PAWS_ENVPR_DDEPROD_ADM,OU=Bigdata,OU=Groups,DC=google,DC=com", "additional.dSCorePropagationData": "16010101000000.0Z", "additional.showInAdvancedViewOnly": "TRUE" }