The event contains a 'before' and 'after' list of permissions and users SIDs, I can get splunk to extract the entire 'before' list and the entire 'after' list but only as single events.
but i need to break it down to list to indivudal Permission and SID
This it the entire event:
2020-12-07 22:45:51.123 91046 SUCCESS Domain\User Archive Permissions Archive 133481FD9531D0347BBCE92FFF45B4FE11110000evaultcol <Archive ArchiveID="133481FD9531D0347vaultcol" ArchiveName="Last, First"><OldManualSD>😧(A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502267-1960408961-839522115-10875)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406856)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406857)</OldManualSD><NewManualSD>😧(A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502267-1960408961-839522115-10875)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406856)(A;;CCSW;;;S-1-5-21-299502267-1960408961-839522115-2406857)(A;;CCDCSWRPDT;;;S-1-5-21-299502267-1960408961-839522115-3949157)</NewManualSD></Archive> ServerName
The 'before' list is between the <OldManualSD> and <\OldManualSD> tags, the 'after' list is between the <NewManualSD> and </NewManualSD> tags
The Permissions field is between the ;; and ;;; delimiters and is followed by the SID. There is a varying number of permsissons/SIDs in each event
Can get part way there; ex_OldManual_GP and ex_NewManual_GP fields extract from the "Info" field and the contain the before and after, but trying to get a second extraction based off ex_OldManual_GP and ex_NewManual_GP always fails
from the event above, I would like:
OldManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10475
OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456
OldManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457
NewManual = A;;CCDCLCSWRPWPDT;;;S-1-5-21-299502367-1960408961-839522117-10875
NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406456
NewManual = A;;CCSW;;;S-1-5-21-299502367-1960408961-839522117-2406457
NewManua l= A;;CCDCSWRPDT;;;S-1-5-21-299502367-1960408961-839522117-3949147
Any ideas?
my transforms.conf file:
[ex_fields_extract]
FIELDS = "AuditDate","AuditID","Status","UserName","CategoryName","SubCategoryName","ObjectID","Vault","info","MachineName"
DELIMS = "\t"
[ex_OldManual_GP]
SOURCE_KEY = info
REGEX=\>(<OldManualSD>D:)((?P<OldManual_GP>.*))(<\/OldManualSD>)
[ex_NewManual_GP]
SOURCE_KEY = info
REGEX=\>(<NewManualSD>D:)((?P<NewManual_GP>.*))(<\/NewManualSD>)
[ex_OldManual_MV]
SOURCE_KEY = OldManual_GP
REGEX=;;(?P<perm>\w+);;;*
MV_ADD=true
[ex_NewManual_MV]
SOURCE_KEY = NewManual_GP
REGEX=(?<NewManual>[^,]+),*
MV_ADD=true
my props.conf file
[exlogs]
REPORT-ex_fields = ex_fields_extract
REPORT-mvalue = ex_OldManual_MV, ex_NewManual_MV, ex_NewManual_GP, ex_OldManual_GP
SHOULD_LINEMERGE = false