Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw
Explorer
‎11-15-2010 11:03 PM

I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"

Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;

11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SERVERNAME$  <-- 1st occurrence
    Account Domain:     DOMAIN
    Logon ID:       0x3e7

Logon Type:         8

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       username    <-- 2nd occurrence
    Account Domain:     domain.name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1a40
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:   SERVERNAME
    Source Network Address: 11.22.33.44
    Source Port:        2453

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
<snip>

I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...

...but hear me out. It's not behaving as expected.

So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar

Here's the problem, this results in;

SERVERNAME$    <blank>

I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.

So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.

Can someone point me in the right direction? Thanks in advance.

Running 4.1.5 Linux x86_64

ziegfried Solution

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name
Reply
2 Solutions
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎11-16-2010 11:23 PM

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-17-2010 05:06 PM

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎11-17-2010 05:06 PM

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account
0 Karma
Reply
Solved! Jump to solution

aberdamy
Explorer
‎04-10-2014 09:17 AM

How do I combine this with the "User_Name" field from the Windows 2003 "529" events? I want to create a top 10 count by the UserName + Account_Name

0 Karma
Reply
Solved! Jump to solution

pstraw
Explorer
‎11-20-2010 06:13 PM

your query is working now. edit to remove the stray in EventCode<="537"

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎11-20-2010 02:18 PM

I've forgot to add the multiline and dot-all flag to the regex. I've edited the search expression above.

0 Karma
Reply
Solved! Jump to solution

pstraw
Explorer
‎11-19-2010 06:48 PM

wanted_account in the Results Table returns blank for this query.

0 Karma
Reply
Solved! Jump to solution

pstraw
Explorer
‎11-17-2010 04:56 PM

Account_Name in the Events Table/View shows the 1st occurrence which typically is "-" or SERVERNAME$

I am correct in my understanding that the Events view/table, you can not display custom/new variables? Those will only display in the Results view/table?

0 Karma
Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎11-17-2010 07:10 AM

When you show Account_Name as an enabled field in the Event Viewer, do you get multiple occurrences of Account_Name or just 1 occurrence with the value being the 1st extraction (SERVERNAME$)?

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎11-16-2010 11:23 PM

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account
0 Karma
Reply
Solved! Jump to solution

pstraw
Explorer
‎11-17-2010 07:21 PM

thank you bwooden! your rex helped.

0 Karma
Reply
Solved! Jump to solution

pstraw
Explorer
‎11-17-2010 04:49 PM

added results of your query to the original post. sure wish there was a code tag function in comments. thanks for your help so far.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...