- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How do I parse AppLocker Windows Event Log? render...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I parse AppLocker Windows Event Log? renderXml works, KV_mode = xml does not [Applocker]
I've been able to get the data from the AppLocker log into Splunk. A search with the data source piped into | xmlkv results in the expected result. I am trying to get the data into separate fields so | xmlkv does not have to be used. I've entered KV_mode=xml in props.conf for the datasource, which does not work. I've also tried writing regex and transforms, but have not been successful with either. The end result I am going for is to have Splunk parse out the different fields. Plz....haaalp....I'm very new to Splunk and have been trying over the last few days to solve this.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-AppLocker' Guid='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'/>
<EventID>8002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2016-05-16T18:31:15.732349300Z'/>
<EventRecordID>441</EventRecordID>
<Correlation/>
<Execution ProcessID='4164' ThreadID='5772'/>
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>xxxxxxxxxxxxxxxxxxx</Computer>
<Security UserID='S-0-0-00-0000000000-0000000000-00000000-000000'/>
</System>
<UserData>
<RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>
<PolicyName>EXE</PolicyName>
<RuleId>{A61C8B2C-A319-4CD0-9690-D2177CAD7B51}</RuleId>
<RuleName>(Default Rule) All files located in the Windows folder</RuleName>
<RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl>
<TargetUser>S-0-0-00-0000000000-0000000000-00000000-000000</TargetUser>
<TargetProcessId>4904</TargetProcessId>
<FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath>
<FileHash>0000000000000000000000000000000000000000000000000000000000000000</FileHash>
<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\6.3.9600.17930</Fqbn>
</RuleAndFileData>
</UserData>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have the Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742 ) installed on your Search Head?
It defines the following sourcetype stanza in props.conf which I believe should auto extract this for you (given that your sourcetype is "XmlWinEventLog:*"):
[(?::){0}XmlWinEventLog:*]
If this doesn't work out of the box with the add-on, could you try adding the following to Splunk_TA_windows?
local/transforms.conf:
[userdata_props_xml_kv]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1
local/props.conf:
[(?::){0}XmlWinEventLog:*]
REPORT-1xml_kv_extract = userdata_props_xml_kv
This is untested in Splunk but I tested the regex in an online regex tool and I could see the fields extracted
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Add below parameter in inputs.conf to render events in xml,
[stanza]
index=index_name
renderXml=true # this parameter will do trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm having the same exact issue. Were you able to solve this?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
