Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter Windows Security Event Logs containing machine name as username?

caroline_fortun
Explorer
‎07-02-2014 12:39 PM

Hello everyone,

I´m trying to filter some Windows Security Event Logs that contains the machine name as the username.
To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local).

props.conf

[WinEventLog:Security]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.*
DEST_KEY = queue
FORMAT = nullQueue

Is there any errors at my regex? Do I have to do something else?
I already put the files at the indexer too but I am still getting events.

Best Regards,
Caroline Fortunato

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-02-2014 12:59 PM

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎07-02-2014 12:59 PM

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/

Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]
Reply
Solved! Jump to solution

caroline_fortun
Explorer
‎07-03-2014 11:24 AM

Hello Lowell,

I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder.
I put the files at the heavy forwarder machine and restarted Splunk and it worked.

Thanks for your help!

Regards,
Carol

Reply
Solved! Jump to solution

Lowell
Super Champion
‎07-02-2014 02:44 PM

Yeah, sorry missed that comment at the end the first time I read through it. I'm looking closer at the regex now. It looks inefficient, but not sure if it's actually wrong. Without a sample event it's difficult to say for sure. Have you tested it using any tools like Regexbuddy, or Kodos? Oh, keep in mind that the blog post is only relevant for the most recent versions of Splunk.

0 Karma
Reply
Solved! Jump to solution

caroline_fortun
Explorer
‎07-02-2014 01:35 PM

I placed the files at the indexer too but it didn´t work. I´ll have a look at the post.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...