Hello,
I am evaluating Splunk as a mechanism to audit Windows filesystem access through Windows object auditing. I've successfully configured the auditing on the OS side, and the events are captured by Splunk at this point. The issue I'm facing is that the generated event from Windows simply contains too much information for it to be readable in its native format. What I'm hoping for is a way to ostensibly "grep" out the relevant parts for reporting purposes. I've included a sample event below, for reference. As an example, I'd like to be able to see only the "account name", "object name" and date/time to quickly see access attempts on our file system. I've tried using the "fields" pipe command, but it would seem that the lower half of the event text isn't able to be parsed using the fields command. I've tried using the Extract Fields wizard with no luck as well. Hoping someone out there has crossed this bridge before and can offer some advice. Thank you!
20121011084908.000000
Category=12800
CategoryString=File System
EventCode=4663
EventIdentifier=4663
EventType=4
Logfile=Security
RecordNumber=248660925
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20121011134908.193923-000
TimeWritten=20121011134908.193923-000
Type=Audit Success
User=NULL
ComputerName=SERVER01.TestDomain.Local
wmi_type=WinEventLog:Security
Message=An attempt was made to access an object.
Subject:
Security ID: S-1-5-21-3844513864-1809414692-3843819318-1309
Account Name: test_user
Account Domain: TD
Logon ID: 0x163dbfcaa
Object:
Object Server: Security
Object Type: File
Object Name: D:\Path\To\Audited\Filename.xlsx
Handle ID: 0x26bc
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: READ_CONTROL
Access Mask: 0x20000
My suggestion is to make sure you get your fields correctly extracted, and then use the table
command to show you the relevant fields in a tabular format. It's not entirely clear from your question whether you have field extraction working properly already - if you do, using table
is as easy as adding | table <list of fields>
at the end of your search.