Getting Data In

How To Filter Only administrator logins

angelo82
Explorer

Good evening, i have this problem to solve:
i've installed splunk web and a client machine with splunk heavy forwarder, how i can forward to indexer only administrators login?
we have more than one network administrator's users with this suffix: ??admin (instead question marks we have two letters)
i need only login-logout-failed login
unfortunately i don't understand how to config files works (and tecnical english is so difficult for me)

i've already read these links but i did't understand a lot, and the second link is uncomplete and it doesn't work.. (surely because i've lost a crucial part of setting)

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad

http://splunk-base.splunk.com/answers/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-...

this is my first time who i need to modify config files witouth UI
if you can tell me the right settings i would be grateful, thank you very much (and i apologize my possible grammar errors)

0 Karma
1 Solution

lguinn2
Legend

First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.

In props.conf:

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue

Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!

Documentation here:

Keep specific events and discard the rest

View solution in original post

lguinn2
Legend

First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.

In props.conf:

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue

Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!

Documentation here:

Keep specific events and discard the rest

lguinn2
Legend

[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue

(Using backtics around the text to solve the "doesn't show backslash" problem)

And I can see that checking for the user name would be superior to testing for event codes...

0 Karma

angelo82
Explorer

I apologize for my delay,

i've solved with this string:

[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue

the better way to index administrators' login for our needs

thank you very much for your advice

Angelo

p.s. the character "backslash" is not shown

0 Karma

angelo82
Explorer

there are other info requested:

LOGOFF ADMIN:
07/03/2012 03:04:33 PM

LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??dmin
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45129
Message=User Logoff:

User Name: ??admin
Domain: MyDomain

Logon ID: (0x0,0x3E0B1C4)
Logon Type: 10

FAILED LOGIN

07/03/2012 03:14:30PM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TEST-SPLUNK
User=SYSTEM
Sid=(deleted)
Sid Type=5
Category=2
CategoryString=Logon/Logoff
RecordNumber=45131
Message=Logon Failure:

Reason: Unknown user name or bad password

User Name: ??admin
Domain: MyDomain

Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: TEST-SPLUNK
Caller User Name: TEST-SPLUNK$

Caller Domain: MyDomain

Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1744

Transited Services: -

Source Network Address: ....

Source Port: 65220

POWER USER LOGON

07/03/2012 03:18:30 PM
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=pa00623
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45139
Message=Successful Logon:

User Name: pa*****
Domain: MyDomain

Logon ID: (0x0,0x4064B5D)
Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: TEST-SPLUNK
Logon GUID: {DELETED}

Caller User Name: TEST-SPLUNK$

Caller Domain: MyDomain

Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2296
Transited Services: -

Source Network Address: ...
Source Port: 65253

I hope this could be useful to help me
Thank You

0 Karma

angelo82
Explorer

this is an administrator login

LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??admin
Sid=(deleted)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45077
Message=Successful Logon:
User Name:??admin
Domain: Mydomain
Logon ID:(Deleted)
Logon Type:10
Logon Process:User32

Authentication Package: Negotiate
Workstation Name:TEST-SPLUNK
Logon GUID:{deleted}
Caller User Name:TEST-SPLUNK$
Caller Domain: Mydomain Caller Logon ID: (deleted,deleted)
Caller Process ID: 2948
Transited Services: -
Source Network Address: ...
Source Port:52948

unfortunately i'm not in an office now to do power user login.. if it is necessary i'm going to do it more or less in 8 hours
i need to log also EventCode:529 (failure audit) and EventCode:538 (user logoff)

0 Karma

lguinn2
Legend

Can you give us a small sample of the raw log file? You can change the server names, ip addresses, etc. for security, but it would be very helpful to see 3-5 lines of the log file. If possible, I would like to see at least one entry for an administrator login and one entry for a regular user login.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...