Hello list,
i have a requirement where i imported Windows Event log (CSV format) into splunk, and now i need to extract specific fields out of that log.
i tried field extraction, newbie alert, and went no where... will appreciate if someone can help me in this..
requirement
need to report on Logon id and Workstation type used by that Logon ID.
here's how the logs look like:
1:02:58.000 PM Information 12/30/2010 1:02:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: XXXXXXXX
Account Domain: CORP
Logon ID: 0x3e7
Logon Type: 8
New Logon:
Security ID: XXXX\XXXXX
Account Name: EEEEEEE
Account Domain: CORP
Logon ID: 0x1d34affb6
Logon GUID: {8BBCB019-8C3B-F16A-8DBB-702C6D5840DE}
Process Information:
Process ID: 0x2694
Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: XXXXXXX
Source Network Address: 11.11.11.11
Source Port: 11099
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
... View more