Knowledge Management

How can I tag Windows system accounts?

ja_s
New Member

I want to be able to tag Windows system accounts, but it doesn't seem to be working correctly in 5.0 and 5.0.1, installed on Linux. I have Windows machines with Splunk forwarders on them, and they are recording events that have the following users:

  • ANONYMOUS LOGON
  • LOCAL SERVICE
  • NETWORK SERVICE
  • MYCOMPUTERNAME$

I can create tags for them, but because they have spaces and dollar signs in their name, they show on the Tags Manager pages with the URI-encoded equivalent, so that spaces become %20 and the dollar sign is %24. When I try to modify the key/value pair or change its permissions from, for example, "List by field value pair" page, I get a 404 with the message:

  • Splunk cannot find "saved/fvtags/user=ANONYMOUS%20LOGON".
Tags (1)
0 Karma

DaveSavage
Builder

Not tested - but Splunk usually likes field names with spaces in them to be represented within a set of quotes? "ANON LOGON".
Edit - you have seen ANONYMOUS LOGON in a log coming through? I ask because the standard convention for Windows is ANONYMOUS on its own. Logon is a separate field?

0 Karma

DaveSavage
Builder

ja_s...I understand re security eventlog. I ran it (on 4.3) and did not have any errors. My v5 lab is down at the mo'...will try there. tag::user="foo" at search line worked as well.

0 Karma

ja_s
New Member

No, I don't want the above to be tag names, those are the usernames that Windows uses. Search on user="NETWORK SERVICE" if you have a Windows client. I have several coming from the Security Eventlog. Make user a selected field, pull down "Tag user=NETWORK SERVICE", put in "foo" for tag name, then go to Manager » Tags » List by field value pair then select user=NETWORK%20SERVICE and you will get a 404.

0 Karma

DaveSavage
Builder

Try this (sorry - a bit slow tonight). Create a new tag with name of ANON_LOGON, add field value pair of user="ANONYMOUS" and another value of action="login attempt".
If that fails, try running the search manually. My test was: user="admin" action="login attempt" | top user host source sourcetype | fields - percent
But I was using "admin" because I know I have those and no anons in the indexes.
You may also need to create more values for user="anonymous" OR user="ANONYMOUS"

0 Karma

DaveSavage
Builder

Tags names don't have quotes, nor spaces. If you really want the tag name to be similar to that it then use ANONYMOUS_LOGON as its name.Field Pair value would be user="ANONYMOUS" etc?

0 Karma

ja_s
New Member

Well, that's fine, but I created the tags via the pull-down on the "user" selected field. However, I did manually add them with quotes, as you suggest, via the Tags Manager, but they don't seem to get tagged in results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...