Have the following defined in my inputs.conf
[WinEventLog:Security]
disabled=0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
Have the following defined in my props.conf
[default]
BREAK_ONLY_BEFORE_DATE = True
Log File
01/18/2013 11:45:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=XXXX
TaskCategory=Logoff
OpCode=Info
-----Line Break is Occurring Here -----
RecordNumber=1173295928
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: XXX
Account Name: XXX
Account Domain: XXX
Logon ID: XXX
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Should be only breaking on the date however from above, its breaking at the Record number. This is happening on only 2 of my DC's, Splunk from what I can see is configured the same way on all 5 of my DC's. Anyone have any ideas on what this could be??
Thanks!
Michael
It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?
What might help is to define the TIME_FORMAT
and possibly utilize the BREAK_ONLY_BEFORE
in the props.conf for that sourcetype. Something like this might work:
props.conf on indexing server
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
If this answer resolves your issue, please mark it as the accepted answer. Thanks.
It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?
What might help is to define the TIME_FORMAT
and possibly utilize the BREAK_ONLY_BEFORE
in the props.conf for that sourcetype. Something like this might work:
props.conf on indexing server
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
If this answer resolves your issue, please mark it as the accepted answer. Thanks.
Awesome! Glad I could help.
ok this is now working!!! Thank you so much for your time and effort on this!!
I didnt realize there was a custom sourcetype on our indexers for the windows security logs. Once I updated the sourcetype with the BREAK_ONLY_BEFORE statement, it works!!
ok I added the stanza and BREAK_ONLY_BEFORE to our paired indexing servers
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
Still the same issue, it only happens on 2 of the 5 DC's we have...strange.
The TIME_FORMAT might not be needed. Also, I see some issues with the regex on the BREAK_ONLY_BEFORE. It might be due to formatting when you pasted into the comment. Please verify that the regex is exactly what I submitted earlier in the ticket.
Also, please be sure that this goes into the props.conf on the indexing server. Do you run a distributed Splunk environment, or single server instance?
The only thing I have in my props.conf (etc/system/local ) file is what was given above.
[default]
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
We are defining most of our regex extractions in the default search app. None of which are defined for windows, we have been using the default auto extractions for windows based logging and any search time regex when needed.
Is it possible to include a sanitized props.conf?
no go on either in the props.conf. Still showing the line break as indicated above.
I would still try the BREAK_ONLY_BEFORE to see if that resolves the issue. You don't have to try the TIME_FORMAT if the BREAK_ONLY_BEFORE resolves it.
no it appears to be timestamped the same as the top half