Dashboards & Visualizations

Create Dashboard Table - Windows Event Log

adamswebsiteacc
New Member

Hi All,

I am brand new to Splunk and I'm looking for a quick helping hand to get me started. I'd like to create a simple table (or any other useful display mechanism) to create a dashboard or report to show changes to my local servers. I am specifically interested in showing events 4720, 4738 and 4726. Initially I would like to start with 4720 (see below). I would like to display the time the event occurred, on which host, the user who created the account, the account name and finally extract the text "Message=A user account was created." to appear in the last column. Once I understand how to do this I should be able to replicate this for my other events. May I please ask for some assistance while I'm still learning.

Thank you.

8:05:24.000 PM

10/30/2012 08:05:24 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4720
EventType=0
Type=Information
ComputerName=LabMGT.Test.Com
TaskCategory=User Account Management
OpCode=Info
RecordNumber=346
Keywords=Audit Success
Message=A user account was created.

Subject:
Security ID: LabMGT\Administrator
Account Name: Administrator
Account Domain: LABMGT
Logon ID: 0x1c912

New Account:
Security ID: LabMGT\Walter Black
Account Name: Walter Black
Account Domain: SORCEDMGT

Attributes:
SAM Account Name: Walter Black
Display Name:
User Principal Name: -
Home Directory:
Home Drive:
Script Path:
Profile Path:
User Workstations:
Password Last Set:
Account Expires:
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:

Account Disabled
'Password Not Required' - Enabled
'Normal Account' - Enabled
User Parameters:
SID History: -
Logon Hours: All

Additional Information:
Privileges -
Collapse back to 10 lines
host=LabMGT Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options

Tags (1)
0 Karma

melora_layne
New Member

Here is a query I use to search for 4720 events and put them into a table, however I'm not sure how to extract the Message field to show last. Maybe this will give you a starting point, sorry I couldn't help further 🙂

source="WinEventLog:Security" (NewDomain="YOURDOMAIN") (EventCode="4720") NewAccount_Name!=$* |table *

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...