Windows security event log regex help

chowell · ‎06-28-2010

I need a regex that can process all security events with eventid 540 that don't contain $, SYSTEM, or ANONYMOUS LOGON. I am genetically incapable of creating such a regex, so thanks for the help.

Lowell · ‎06-28-2010

Are you looking for those values in specific fields, or just anywhere in the event? If you are looking for them just anywhere in the event, then I would suggest that you don't use regex at all. Simply do a search like this:

sourcetype=WinEventLog:Security EventCode=540 NOT ("SYSTEM" OR "ANONYMOUS LOGON" OR "$")

However, that may be a bit too loose. For example, the term "system" could occur else where in your event, and perhaps a clever hacker would attempt to hide logon attempts by using a "$" as part of their username,.... So perhaps it's would be better to be slightly more specific about what we want to filter out.

So, this may be a better search:

sourcetype=WinEventLog:Security "EventCode=540" NOT ("User=SYSTEM" OR "User=ANONYMOUS LOGON" OR USER="*$")

(Notice the usage of quotes around the entire expressions--this make splunk look for those literal terms in the index, rather than doing a field matching, which should result in a faster search)

I'm not sure about the USER="*$" part, that does give difference results than simply searching for "$", so you'll have to play around and see what results you really want.

rayfoo · ‎06-28-2010

how about this?

eventid="540" | regex _raw!="(\$|SYSTEM|ANONYMOUS LOGON)"

Windows security event log regex help

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases