Version

Argent Advanced Technology 5.1A-2010-D or earlier

Date

Wednesday, 30 Dec 2020

Summary

When Argent for Compliance engine archives Windows Event Logs, it saves User Data in column ‘USER_DATA_TX1024’ of column type ‘XML’ in SQL table ‘ARGSOFT_COMPLIANCE_LOG_ARCHIVE’.

Windows Event Log message is composed of fixed message template and insertion strings of user data. By storing user data in XML column, reporting becomes so much easier without parsing the composed message text.

Microsoft introduced Vista-Style Event Log Format since Windows 2008 and Vista. It provides XML view of event log including user data.

Most of event logs store user data in XPath ‘/Event/EventData/Data’ and Argent AT uses this XPath to read the information. For example,

Click For Full Size

However, it has been found that some actually use different XPath. For example, Event Log ‘Microsoft-Windows-TerminalServices-LocalSessionManager/Operational’ uses XPath ‘/Event/UserData/EventXML’.

Click For Full Size

In such cases, Argent AT engine was not able to retrieved user data information. As results, the USER_DATA_TX1024 column would be empty.

The issue has been addressed in Argent AT 5.1A-2101-A and later.

Technical Background

Expecting Microsoft or third party Event Log provider might use different XPaths in the future; Argent AT has been enhanced to allow specifying Custom XPath for User Data.

Click For Full Size

Note:

1. The issue affects User Data column only. Event Log message worked just fine.

2. Both XPath ‘/Event/EventData/Data’ and ‘/Event/UserData/EventXML’ work out of box in Argent AT 5.1A-2101-A. Custom XPath is implemented only to expect other XPath in the future.

3. Custom XPath option is only available if method ‘Vista Event Log API’ is selected explicitly.

Resolution

Upgrade to Argent AT 5.1A-2101-A or later.