I'm trying to run a search query like this:
host=linux1 DHCPACK | rex field=_raw "on (?<ip>.*) to (?<mac>.*)" | [search host="node1" OR host="stadc01" OR host="stadc02" <<username goes here>> EventCode=540 | top limit=1 Source_Network_Address | fields + Source_Network_Address]
Which finds the latest login from the given username, extracts the ip address from the event log, and then finds and returns the mac address via some DHCP logs (matching the IPs) this is so that we can find the physical location of the machine. It's giving me various errors, however- not to mention that the current query is incomplete. Any ideas to get the query working right? Thanks for the help 🙂
Example DHCP entry:
8/11/10
2:29:19.000 PM
Aug 11 14:29:19 linux1 dhcpd: DHCPACK on 10.182.171.65 to 00:xx:12:xx:x0:xc via 10.182.171.2
* host=linux1 Options|
* sourcetype=syslog Options|
* source=/var/log/syslog Options
Example EventLog login entry:
8/11/10
2:36:03.000 PM
08/11/10 02:36:03 PM
LogName=Security
SourceName=Security
EventCode=540
EventType=8
Type=Success Audit
ComputerName=DC02
User=<>
Sid=S-1-5-21-767897961-102478171-4665678964-895678
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=1384567698
Message=Successful Network Logon:
User Name: <<USERNAME>>
Domain: STAFF
Logon ID: (0x0,0x1E1EA75)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {9e4539d92-ba06-83435-22td-9ddsfg45b23ec8}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.1.23.123
Source Port: 0
Collapse back to 10 lines
* host=dc2 Options|
* sourcetype=WinEventLog:Security Options|
* source=WinEventLog:Security Options|
* linecount=45 Options|
* splunk_server=logger Options|
* index=main Options
Attempted search query (part of the one above):
host=linux1 DHCPACK | rex field=_raw "on (?<ip>.*) to (?<mac>.*)"
... View more