Dashboards & Visualizations

Extracting and reporting on specific fields

hznp_skoivisto
New Member

Hello,

I am evaluating Splunk as a mechanism to audit Windows filesystem access through Windows object auditing. I've successfully configured the auditing on the OS side, and the events are captured by Splunk at this point. The issue I'm facing is that the generated event from Windows simply contains too much information for it to be readable in its native format. What I'm hoping for is a way to ostensibly "grep" out the relevant parts for reporting purposes. I've included a sample event below, for reference. As an example, I'd like to be able to see only the "account name", "object name" and date/time to quickly see access attempts on our file system. I've tried using the "fields" pipe command, but it would seem that the lower half of the event text isn't able to be parsed using the fields command. I've tried using the Extract Fields wizard with no luck as well. Hoping someone out there has crossed this bridge before and can offer some advice. Thank you!

20121011084908.000000
Category=12800
CategoryString=File System
EventCode=4663
EventIdentifier=4663
EventType=4
Logfile=Security
RecordNumber=248660925
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20121011134908.193923-000
TimeWritten=20121011134908.193923-000
Type=Audit Success
User=NULL
ComputerName=SERVER01.TestDomain.Local
wmi_type=WinEventLog:Security
Message=An attempt was made to access an object.

Subject:
    Security ID:        S-1-5-21-3844513864-1809414692-3843819318-1309
    Account Name:       test_user
    Account Domain:     TD
    Logon ID:       0x163dbfcaa

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    D:\Path\To\Audited\Filename.xlsx
    Handle ID:  0x26bc

Process Information:
    Process ID: 0x4
    Process Name:   

Access Request Information:
    Accesses:   READ_CONTROL

    Access Mask:    0x20000
Tags (1)
0 Karma

Ayn
Legend

My suggestion is to make sure you get your fields correctly extracted, and then use the table command to show you the relevant fields in a tabular format. It's not entirely clear from your question whether you have field extraction working properly already - if you do, using table is as easy as adding | table <list of fields> at the end of your search.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...