Find Log4j Event Log Entries
The Apache Software Foundation disclosed and fixed a critical, actively exploited zero-day known as Log4j. This vulnerability affects the widely-used Apache Log4j logging library that is java based. Tracked as CVE-2021-44228, this vulnerability has a perfect 10 on the CVSS rating. Since the library is widely used, this vulnerability impacts software across many publishers and manufacturers.
The report below provides an overview of all event log entries where the word "log4j" exists. The accuracy of the report depends highly on which events you are scanning and how your Windows event logging is configured.
An example of how you can improve coverage of your logging is by enabling Audit Process Creation logging. By enabling this, in addition to enabling the scanning of success audit events, you'll be able to scan and audit event 4688(S): A new process has been created.
Read more about how you can minimize your risk to Log4j in our Log4j blog post.
- fixed typo "4logj" to the correct log4j
Log4j Event Log Audit Query
Select Top 1000000 tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblAssets.Username, tblAssets.Userdomain, Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, tblNtlog.Eventcode, tblNtlogSource.Sourcename, tblNtlogMessage.Message, tblNtlog.TimeGenerated, Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, tblAssets.Lastseen, tblAssets.Lasttried From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tsysIPLocations On tsysIPLocations.LocationID = tblAssets.LocationID Inner Join tblNtlog On tblAssets.AssetID = tblNtlog.AssetID Inner Join tblNtlogMessage On tblNtlogMessage.MessageID = tblNtlog.MessageID Inner Join tblNtlogSource On tblNtlogSource.SourcenameID = tblNtlog.SourcenameID Inner Join tblState On tblState.State = tblAssetCustom.State Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where tblAssetCustom.State = 1 and Message like '%log4j%' Order By tblAssets.Domain, tblAssets.AssetName