Splunk Search

Windows Events Log

ashishv
Explorer

Hello list,

i have a requirement where i imported Windows Event log (CSV format) into splunk, and now i need to extract specific fields out of that log. i tried field extraction, newbie alert, and went no where... will appreciate if someone can help me in this..

requirement need to report on Logon id and Workstation type used by that Logon ID.

here's how the logs look like:

1:02:58.000 PM Information 12/30/2010 1:02:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.

Subject:

    Security ID:        SYSTEM

    Account Name:       XXXXXXXX

    Account Domain:     CORP

    Logon ID:       0x3e7

Logon Type:         8

New Logon:

    Security ID:        XXXX\XXXXX

    Account Name:       EEEEEEE

    Account Domain:     CORP

    Logon ID:       0x1d34affb6

    Logon GUID:     {8BBCB019-8C3B-F16A-8DBB-702C6D5840DE}

Process Information:

    Process ID:     0x2694

    Process Name:       C:\Windows\System32\inetsrv\w3wp.exe

Network Information:

    Workstation Name:   XXXXXXX

    Source Network Address: 11.11.11.11

    Source Port:        11099

Detailed Authentication Information:

    Logon Process:      Advapi  

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only):   -

    Key Length:     0
Tags (1)
0 Karma
1 Solution

Ayn
Legend

Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!

But, the following regex should work for extracting the Logon ID:

Logon ID:\s*(?<logon_id>)\S+)

And correspondingly for Workstation Name:

Workstation Name:\s*(?<workstation_name>\S+)

Apply this using either the interactive field extractor, or by using the rex operator.

View solution in original post

0 Karma

mw
Splunk Employee
Splunk Employee

Do you have the Windows app installed? If not, I believe it should take care of all of these extractions for you. You can install it even if your splunk instance is on *nix.

0 Karma

Ayn
Legend

Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!

But, the following regex should work for extracting the Logon ID:

Logon ID:\s*(?<logon_id>)\S+)

And correspondingly for Workstation Name:

Workstation Name:\s*(?<workstation_name>\S+)

Apply this using either the interactive field extractor, or by using the rex operator.

0 Karma

Ayn
Legend

Are these separate lines treated as separate events as well now, or do you have some line breaking rules in place that make sure they're all part of the same event? If it's the former I'd suggest that you look into the transaction command, perhaps something like "| transaction startswith='Subject:'". In the latter case the field extractions should work fine.

0 Karma

ashishv
Explorer

my bad, this is not a CSV, Windows Event log is saved as text log, and i imported in the splunk monitor using upload a local file.

not sure how to attach a file with this question...

0 Karma

ashishv
Explorer

ahhh i dont know how this got formatted... all these vars are in separate lines.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...