- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: How can I tag Windows system accounts?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I tag Windows system accounts?
I want to be able to tag Windows system accounts, but it doesn't seem to be working correctly in 5.0 and 5.0.1, installed on Linux. I have Windows machines with Splunk forwarders on them, and they are recording events that have the following users:
- ANONYMOUS LOGON
- LOCAL SERVICE
- NETWORK SERVICE
- MYCOMPUTERNAME$
I can create tags for them, but because they have spaces and dollar signs in their name, they show on the Tags Manager pages with the URI-encoded equivalent, so that spaces become %20 and the dollar sign is %24. When I try to modify the key/value pair or change its permissions from, for example, "List by field value pair" page, I get a 404 with the message:
- Splunk cannot find "saved/fvtags/user=ANONYMOUS%20LOGON".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not tested - but Splunk usually likes field names with spaces in them to be represented within a set of quotes? "ANON LOGON".
Edit - you have seen ANONYMOUS LOGON in a log coming through? I ask because the standard convention for Windows is ANONYMOUS on its own. Logon is a separate field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ja_s...I understand re security eventlog. I ran it (on 4.3) and did not have any errors. My v5 lab is down at the mo'...will try there. tag::user="foo" at search line worked as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I don't want the above to be tag names, those are the usernames that Windows uses. Search on user="NETWORK SERVICE" if you have a Windows client. I have several coming from the Security Eventlog. Make user a selected field, pull down "Tag user=NETWORK SERVICE", put in "foo" for tag name, then go to Manager » Tags » List by field value pair then select user=NETWORK%20SERVICE and you will get a 404.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (sorry - a bit slow tonight). Create a new tag with name of ANON_LOGON, add field value pair of user="ANONYMOUS" and another value of action="login attempt".
If that fails, try running the search manually. My test was: user="admin" action="login attempt" | top user host source sourcetype | fields - percent
But I was using "admin" because I know I have those and no anons in the indexes.
You may also need to create more values for user="anonymous" OR user="ANONYMOUS"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tags names don't have quotes, nor spaces. If you really want the tag name to be similar to that it then use ANONYMOUS_LOGON as its name.Field Pair value would be user="ANONYMOUS" etc?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, that's fine, but I created the tags via the pull-down on the "user" selected field. However, I did manually add them with quotes, as you suggest, via the Tags Manager, but they don't seem to get tagged in results.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
