Greetings,
We've been having an issue extracting a few fields in the following event specifically. This windows Event has the Message field containing the desired fields, the values for those desired fields however are carriage returned and evade the built in extraction tools as well as erex.
Full Event as it exists raw:
11/01/2013 02:23:15 PM
LogName=Directory Service
SourceName=Microsoft-Windows-ActiveDirectory_DomainService
EventCode=2889
EventType=4
Type=Information
ComputerName=*******
User=*****
Sid=***
SidType=*
TaskCategory=LDAP Interface
OpCode=None
RecordNumber=******
Keywords=Classic
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username
The particular values we wish to extract:
Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username
The built in utilities actually skip the 2 fields and only display the data up to the first carriage return between the message statement and Client IP address:, this may be why it also breaks erex, as the built in extractor just does not even see the data to attempt to learn the extraction.
Additionally, we have tried a few props transforms that I've seen floating around here, to aid in extracting values out of the Windows Message field, but those seem to have no change either on these 2 data fields with the carriage return.
Thanks!
Brandon
Added for luke below :
Sure thing, here it is right off that raw search, with various items redacted to make our security guy happy.
11/14/2013 11:35:11 AM LogName=Directory Service SourceName=Microsoft-Windows-ActiveDirectory_DomainService EventCode=2889 EventType=4 Type=Information ComputerName#### User=#### Sid#### SidType=5 TaskCategory=LDAP Interface OpCode=None RecordNumber=1681746 Keywords=Classic Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: ####:#### Identity the client attempted to authenticate as: #### \ ####
... View more