Splunk Search

Regex on a Syslog parsed Windows Event

leonheart78
Explorer

I'm trying to extract the Account Name for this particular Windows Event, which is passed by a Syslog forwarder, instead of a Splunk forwarder.

Event Type 1
2017-09-02 23:26:45 Kernel.Notice 172.34.21.72 Sep 02 23:26:45 SAP019PRD01.devops.edu.my MSWinEventLog 5 Security 1307508 Sat Sep 02 23:26:37 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success SAP019PRD01.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x3E6
Target Account:
Security ID: S-1-5-21-2116884625-2469882367-779485706-5698
Account Name: DEVOPS00030
Account Domain: DEVOPS
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 9/2/2017 11:26:37 PM

Event Type 2
2017-08-30 13:37:40 Kernel.Notice 172.34.196.99 Aug 30 13:37:56 DADMZDCPRD15.dmz.devops.edu.my MSWinEventLog 5 Security 2548728 Wed Aug 30 13:37:50 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success DADMZDCPRD15.dmz.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-2613
Account Name: svc.devteam_guest
Account Domain: DMZ
Logon ID: 0x2524625D
Target Account:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-25067
Account Name: 91276444
Account Domain: DMZ
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/30/2017 1:37:50 PM

Trying using the Splunk regex, but it just cannot capture both Event Types.

Tags (2)
0 Karma

niketn
Legend

@leonheart78 as @richgalloway has mentioned you need to define which Account Name/s you need to extract. Following pulls first two Account Names using max_match

| rex "Account Name\:\s(?<AccountName>.*)" max_match=2
| eval AccountName1=mvindex(AccountName,0)
| eval AccountName2=mvindex(AccountName,1)

If you are interested in only the second one your can use mvindex() function for the same. If you are only interested in the first one, it is better to remove max_match argument from rex command so that Splunk extract only the first match.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are two "Account Name" fields in those events. Which one do you want to extract?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...