Good evening, i have this problem to solve:
i've installed splunk web and a client machine with splunk heavy forwarder, how i can forward to indexer only administrators login?
we have more than one network administrator's users with this suffix: ??admin (instead question marks we have two letters)
i need only login-logout-failed login
unfortunately i don't understand how to config files works (and tecnical english is so difficult for me)
i've already read these links but i did't understand a lot, and the second link is uncomplete and it doesn't work.. (surely because i've lost a crucial part of setting)
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
this is my first time who i need to modify config files witouth UI
if you can tell me the right settings i would be grateful, thank you very much (and i apologize my possible grammar errors)
First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.
In props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue
Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!
Documentation here:
Keep specific events and discard the rest
First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.
In props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue
Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!
Documentation here:
Keep specific events and discard the rest
[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue
(Using backtics around the text to solve the "doesn't show backslash" problem)
And I can see that checking for the user name would be superior to testing for event codes...
I apologize for my delay,
i've solved with this string:
[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue
the better way to index administrators' login for our needs
thank you very much for your advice
Angelo
p.s. the character "backslash" is not shown
there are other info requested:
LOGOFF ADMIN:
07/03/2012 03:04:33 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??dmin
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45129
Message=User Logoff:
User Name: ??admin
Domain: MyDomain
Logon ID: (0x0,0x3E0B1C4)
Logon Type: 10
FAILED LOGIN
07/03/2012 03:14:30PM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TEST-SPLUNK
User=SYSTEM
Sid=(deleted)
Sid Type=5
Category=2
CategoryString=Logon/Logoff
RecordNumber=45131
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name: ??admin
Domain: MyDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TEST-SPLUNK
Caller User Name: TEST-SPLUNK$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1744
Transited Services: -
Source Network Address: ....
Source Port: 65220
POWER USER LOGON
07/03/2012 03:18:30 PM
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=pa00623
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45139
Message=Successful Logon:
User Name: pa*****
Domain: MyDomain
Logon ID: (0x0,0x4064B5D)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TEST-SPLUNK
Logon GUID: {DELETED}
Caller User Name: TEST-SPLUNK$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2296
Transited Services: -
Source Network Address: ...
Source Port: 65253
I hope this could be useful to help me
Thank You
this is an administrator login
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??admin
Sid=(deleted)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45077
Message=Successful Logon:
User Name:??admin
Domain: Mydomain
Logon ID:(Deleted)
Logon Type:10
Logon Process:User32
Authentication Package: Negotiate
Workstation Name:TEST-SPLUNK
Logon GUID:{deleted}
Caller User Name:TEST-SPLUNK$
Caller Domain: Mydomain Caller Logon ID: (deleted,deleted)
Caller Process ID: 2948
Transited Services: -
Source Network Address: ...
Source Port:52948
unfortunately i'm not in an office now to do power user login.. if it is necessary i'm going to do it more or less in 8 hours
i need to log also EventCode:529 (failure audit) and EventCode:538 (user logoff)
Can you give us a small sample of the raw log file? You can change the server names, ip addresses, etc. for security, but it would be very helpful to see 3-5 lines of the log file. If possible, I would like to see at least one entry for an administrator login and one entry for a regular user login.