Re: Extract value from Microsoft-windows-PrintServ...

borshoff · ‎08-02-2017

H!
We have MS-Windows-Printservice log, and we need to extract "Param*" Fields:

<Param1>156</Param1><Param2>***</Param2><Param3>****</Param3><Param4>\****</Param4><Param5>****</Param5><Param6>USB002</Param6><Param7>393069</Param7><Param8>1</Param8>

Source log:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PrintService' Guid='{747EF6FD-E535-4D16-B510-42C90F6873A1}'/><EventID>307</EventID><Version>0</Version><Level>4</Level><Task>26</Task><Opcode>11</Opcode><Keywords>0x4000000000000840</Keywords><TimeCreated SystemTime='2017-07-29T14:05:53.902748400Z'/><EventRecordID>164873</EventRecordID><Correlation/><Execution ProcessID='1392' ThreadID='46040'/><Channel>Microsoft-Windows-PrintService/Operational</Channel><Computer>888</Computer><Security UserID='88888'/></System><UserData><DocumentPrinted xmlns:auto-ns3='http://schemas.microsoft.com/win/2004/08/events' xmlns='http://manifests.microsoft.com/win/2005/08/windows/printing/spooler/core/events'><Param1>156</Param1><Param2>8888</Param2><Param3>88888</Param3><Param4>88888</Param4><Param5>*****</Param5><Param6>USB002</Param6><Param7>393069</Param7><Param8>1</Param8></DocumentPrinted></UserData><RenderingInfo Culture='en-US'><Message></Message><Level></Level><Task></Task><Opcode></Opcode><Channel></Channel><Provider></Provider><Keywords></Keywords></RenderingInfo></Event>

What props.conf we need?
Thx

sbbadri · ‎08-02-2017

try below

[ testxmlst ]
CHARSET=UTF-8
DATETIME_CONFIG=CURRENT
KV_MODE=xml
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true

Extract value from Microsoft-windows-PrintService log

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?