I'm playing with WinEventLog:Security source, and I found a "-" username that altered my statistics.
In a generic login log, there is a section with this user, and I'm looking for a way to remove it and clean/normaliza my logs before they'll be indexed.
An example:
09/15/2011 01:41:18 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=DC.domain.local
TaskCategory=Logon
OpCode=Info
RecordNumber=22396221
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-21-1759315991-2675907183-3548838191-1129
Account Name: username
Account Domain: DOMAIN
Logon ID: 0x155b3446
Logon GUID: {FBB0AB00-6A66-14F3-0CF8-6709832A3FB8}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.x.y.z
Source Port: 50233
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
How I can remove the section:
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
from my log?
Regards
bizza
You might want to consider changing the search for your statistics to not include where Account Name/Domain fields are equal to to a -.
The other option is to take a look at using the SEDCMD parameter in your props.conf file and create a sed script to re-write those lines.
For example:
s/Account\sName:\s+\-//g
This would replace the "Account Name: -" line with an empty line.
Another option is to use a script (bash, batch, python, powershell, perl, etc.) to clean up the event before it is indexed to remove that particular section.