- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- WIndows Event Line Break
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have the following defined in my inputs.conf
[WinEventLog:Security]
disabled=0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
Have the following defined in my props.conf
[default]
BREAK_ONLY_BEFORE_DATE = True
Log File
01/18/2013 11:45:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=XXXX
TaskCategory=Logoff
OpCode=Info
-----Line Break is Occurring Here -----
RecordNumber=1173295928
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: XXX
Account Name: XXX
Account Domain: XXX
Logon ID: XXX
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Should be only breaking on the date however from above, its breaking at the Record number. This is happening on only 2 of my DC's, Splunk from what I can see is configured the same way on all 5 of my DC's. Anyone have any ideas on what this could be??
Thanks!
Michael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?
What might help is to define the TIME_FORMAT and possibly utilize the BREAK_ONLY_BEFORE in the props.conf for that sourcetype. Something like this might work:
props.conf on indexing server
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
If this answer resolves your issue, please mark it as the accepted answer. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?
What might help is to define the TIME_FORMAT and possibly utilize the BREAK_ONLY_BEFORE in the props.conf for that sourcetype. Something like this might work:
props.conf on indexing server
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
If this answer resolves your issue, please mark it as the accepted answer. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! Glad I could help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok this is now working!!! Thank you so much for your time and effort on this!!
I didnt realize there was a custom sourcetype on our indexers for the windows security logs. Once I updated the sourcetype with the BREAK_ONLY_BEFORE statement, it works!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok I added the stanza and BREAK_ONLY_BEFORE to our paired indexing servers
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
Still the same issue, it only happens on 2 of the 5 DC's we have...strange.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The TIME_FORMAT might not be needed. Also, I see some issues with the regex on the BREAK_ONLY_BEFORE. It might be due to formatting when you pasted into the comment. Please verify that the regex is exactly what I submitted earlier in the ticket.
Also, please be sure that this goes into the props.conf on the indexing server. Do you run a distributed Splunk environment, or single server instance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only thing I have in my props.conf (etc/system/local ) file is what was given above.
[default]
[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)
We are defining most of our regex extractions in the default search app. None of which are defined for windows, we have been using the default auto extractions for windows based logging and any search time regex when needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to include a sanitized props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no go on either in the props.conf. Still showing the line break as indicated above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would still try the BREAK_ONLY_BEFORE to see if that resolves the issue. You don't have to try the TIME_FORMAT if the BREAK_ONLY_BEFORE resolves it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no it appears to be timestamped the same as the top half
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
