The Apache Software Foundation disclosed and fixed a critical, actively exploited zero-day known as Log4j. This vulnerability affects the widely-used Apache Log4j logging library that is java based. Tracked as CVE-2021-44228, this vulnerability has a perfect 10 on the CVSS rating. Since the library is widely used, this vulnerability impacts software across many publishers and manufacturers.
The report below provides an overview of all event log entries where the word “log4j” exists. The accuracy of the report depends highly on which events you are scanning and how your Windows event logging is configured.
An example of how you can improve coverage of your logging is by enabling Audit Process Creation logging. By enabling this, in addition to enabling the scanning of success audit events, you’ll be able to scan and audit event 4688(S): A new process has been created.
Read more about how you can minimize your risk to Log4j in our Log4j blog post.2021-12-14:
– fixed typo “4logj” to the correct log4j
Log4j Event Log Audit Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblNtlog.Eventcode,
tblNtlogSource.Sourcename,
tblNtlogMessage.Message,
tblNtlog.TimeGenerated,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID
Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID
Inner Join tblNtlogSource On tblNtlogSource.SourcenameID =
tblNtlog.SourcenameID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblAssetCustom.State = 1 and Message like '%log4j%'
Order By tblAssets.Domain,
tblAssets.AssetName