Hello list,
i have a requirement where i imported Windows Event log (CSV format) into splunk, and now i need to extract specific fields out of that log. i tried field extraction, newbie alert, and went no where... will appreciate if someone can help me in this..
requirement need to report on Logon id and Workstation type used by that Logon ID.
here's how the logs look like:
1:02:58.000 PM Information 12/30/2010 1:02:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: XXXXXXXX
Account Domain: CORP
Logon ID: 0x3e7
Logon Type: 8
New Logon:
Security ID: XXXX\XXXXX
Account Name: EEEEEEE
Account Domain: CORP
Logon ID: 0x1d34affb6
Logon GUID: {8BBCB019-8C3B-F16A-8DBB-702C6D5840DE}
Process Information:
Process ID: 0x2694
Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: XXXXXXX
Source Network Address: 11.11.11.11
Source Port: 11099
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!
But, the following regex should work for extracting the Logon ID:
Logon ID:\s*(?<logon_id>)\S+)
And correspondingly for Workstation Name:
Workstation Name:\s*(?<workstation_name>\S+)
Apply this using either the interactive field extractor, or by using the rex
operator.
Do you have the Windows app installed? If not, I believe it should take care of all of these extractions for you. You can install it even if your splunk instance is on *nix.
Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!
But, the following regex should work for extracting the Logon ID:
Logon ID:\s*(?<logon_id>)\S+)
And correspondingly for Workstation Name:
Workstation Name:\s*(?<workstation_name>\S+)
Apply this using either the interactive field extractor, or by using the rex
operator.
Are these separate lines treated as separate events as well now, or do you have some line breaking rules in place that make sure they're all part of the same event? If it's the former I'd suggest that you look into the transaction command, perhaps something like "| transaction startswith='Subject:'". In the latter case the field extractions should work fine.
my bad, this is not a CSV, Windows Event log is saved as text log, and i imported in the splunk monitor using upload a local file.
not sure how to attach a file with this question...
ahhh i dont know how this got formatted... all these vars are in separate lines.