Solved: Re: Windows TA not Parsing "Error_Code" from 4776 ...

jerm1020rq · ‎02-18-2020

Searching: index=sec_windows source=wineventlog:security EventCode=4776 action=failure

should return a field called Error_Code which signifies the error encountered by the authenticating user. This field parses "-" for everything which is incorrect. I have tried to use field extractor, but that still hasn't worked. I don't know why.

If I extract the field "inline":

| rex field=Message "Error\sCode:\s+(?0[^\s]+)"

it works but there are way too many events to do this

spayneort · ‎02-23-2020

It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:

[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code

Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange

View solution in original post

spayneort · ‎02-23-2020

It looks like there is a field alias overwriting this field. Try adding this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf on your search head:

[source::WinEventLog:Security]
FIELDALIAS-Status_as_Error_Code = Status ASNEW Error_Code

Reference: https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Fieldaliasbehaviorchange

Windows TA not Parsing "Error_Code" from 4776 Logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases