Splunk Search

Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw
Explorer

I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"

Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;

11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SERVERNAME$  <-- 1st occurrence
    Account Domain:     DOMAIN
    Logon ID:       0x3e7

Logon Type:         8

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       username    <-- 2nd occurrence
    Account Domain:     domain.name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1a40
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:   SERVERNAME
    Source Network Address: 11.22.33.44
    Source Port:        2453

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
<snip>

I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...

...but hear me out. It's not behaving as expected.

So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar

Here's the problem, this results in;

SERVERNAME$    <blank>    

I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.

So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.

Can someone point me in the right direction? Thanks in advance.

Running 4.1.5 Linux x86_64


ziegfried Solution

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name
2 Solutions

bwooden
Splunk Employee
Splunk Employee

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account

View solution in original post

0 Karma

ziegfried
Influencer

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account

View solution in original post

0 Karma

ziegfried
Influencer

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account
0 Karma

aberdamy
Explorer

How do I combine this with the "User_Name" field from the Windows 2003 "529" events? I want to create a top 10 count by the UserName + Account_Name

0 Karma

pstraw
Explorer

your query is working now. edit to remove the stray in EventCode<="537"

0 Karma

ziegfried
Influencer

I've forgot to add the multiline and dot-all flag to the regex. I've edited the search expression above.

0 Karma

pstraw
Explorer

wanted_account in the Results Table returns blank for this query.

0 Karma

pstraw
Explorer

Account_Name in the Events Table/View shows the 1st occurrence which typically is "-" or SERVERNAME$

I am correct in my understanding that the Events view/table, you can not display custom/new variables? Those will only display in the Results view/table?

0 Karma

hulahoop
Splunk Employee
Splunk Employee

When you show Account_Name as an enabled field in the Event Viewer, do you get multiple occurrences of Account_Name or just 1 occurrence with the value being the 1st extraction (SERVERNAME$)?

0 Karma

bwooden
Splunk Employee
Splunk Employee

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account
0 Karma

pstraw
Explorer

thank you bwooden! your rex helped.

0 Karma

pstraw
Explorer

added results of your query to the original post. sure wish there was a code tag function in comments. thanks for your help so far.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...