Hello, I need to monitor two different types of events for some servers, the authentication events (4624,4634,4625) for the admin users and some Event ID related to change events (5145,4663,4659) for a specific path. Baiscally I created a server class for the inputs.conf deployment, adding this: ###### OS Logs ###### [WinEventLog://Security] disabled = 0 index = windows_tmp followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = (EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*)) renderXml=false     I already tested the regex in regex101 https://regex101.com/r/LIaMnU/1 and it seems working fine, but in Splunk I'm receiving all the events as the whitelist is not applied. Am I missing something?     ... View more

Hello, I have a standalone Splunk Enterprise 9.1.3 instance with some DCs and servers connected to it using Forwarder Management console. At the moment I have 2 server classes configured, 1 for the DCs and the other one for the servers. The server class for the DCs includes only the inputs.conf file for Windows logs: [WinEventLog://Security] disabled = 0 index = myindex followTail=true start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 whitelist = 4624,4634,4625,4728,4729 renderXml=false Moreover, in the Splunk Enterprise I configured 2 transforms for splitting the logs in two separeted indexes, like this: props.conf: [WinEventLog:Security] TRANSFORMS-security = rewrite_ad_group_management, rewrite_index_adm transforms.conf: [rewrite_ad_group_management] REGEX = EventCode=(4728|4729) DEST_KEY = _MetaData:Index FORMAT = index1 [rewrite_index_adm] REGEX = Account Name:\s+.*\.adm DEST_KEY = _MetaData:Index FORMAT = index2 In particular, the goal is to forward the authentication events (4624,4634,4625) for only admin users (Account Name:\s+.*\.adm) in index2 and only EventCode 4728 and 4729 in index1, and the events that not match none transform should remain in myindex. At the moment the first transform is not working, so I'm receiving Events 4728 and 4729 in index2, am I missing something or there is a better logic to do that? I tried to combine also 4624,4634,4625 and Account Name:\s+.*\.adm with  (?ms)EventCode=(4624|4634|4625)\X*Account Name:\s+.*\.adm Thanks in advance ... View more

Hello, I have to migrate from an old Splunk standalone instance (version 6.4) to a new one. Is it possible to use in the new instance the same license currently used in the old one in production? Is there anything I need to pay attention to? Thank you in advance! ... View more

Hi, I have different mails in my logs and I need to filter them in order to distinguish real users from technical users. I noticed that real users have an email like name.surname@company.com, so I would like to extract these emails matching "anycharacter.anycharacter@any" because in some case it could be possible to have an email with numbers (ex. name.surname1@company.com). Thank you in advance! ... View more

Hi all, I need to extract some fields for authentication events from different log types, here below some example: LOG1 : AddSenaoLog%Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG2 : AddSenaoLog%Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-CITYLIFE) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG3 %Client-6:LINUX_device(00:00:00:00:00:00/1.1.1.1) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) LOG4 %Client-6:(00:00:00:00:00:00) joins WLAN(WIFI-OSPITI) from MY-WIFI-0000-INT(00:00:00:00:00:00) As you can see in some case (LOG2 and LOG4) in the first parenthesis I have only the MAC address, in other cases (LOG1 and LOG3) I have both the IP and the MAC address, so I need to extract this two information (or only the MAC if the IP is missig as for LOG2 and LOG4) when I have "joins" in the logs. Thanks in advance! ... View more

Hi All, I have the following saved search: | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [|`change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, _time | `drop_dm_object_name("All_Changes")` | rename Account_Management.src_user as src_user My customer asked to me to exclude results when Account_Management.src_user=user1 and All_Changes.Account_Management.src_nt_domain=All_Changes.Account_Management.dest_nt_domain. So I tried something like that but it seems not working:   | tstats summariesonly=true fillnull_value="N/D" count from datamodel=Change where NOT [| `change_whitelist_generic`] nodename="All_Changes.Account_Management.Accounts_Updated" AND All_Changes.log_region=* AND All_Changes.log_country=* AND (All_Changes.command=passwd OR All_Changes.result_id IN (4723, 4724)) by All_Changes.log_region, All_Changes.log_country, index, host, All_Changes.Account_Management.src_user, All_Changes.user, All_Changes.Account_Management.dest_nt_domain, All_Changes.Account_Management.src_nt_domain, _time | `drop_dm_object_name("All_Changes")` | search NOT (Account_Management.src_user=user1 AND Account_Management.src_nt_domain=Account_Management.dest_nt_domain) | rename Account_Management.src_user as src_user Have you any advice?   Thank you! ... View more

Hi, I have similar authentication logs as below: LOG 1: 03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session   LOG2: %%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2   The regex below works only for event LOG2: (?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})   Probably it doesn't match special characters, any idea to solve that? Thank you in advance!   ... View more

Hi, I'm trying to extract some fields from my Access Point Aruba in order to be CIM compliant. For authentication log I have two kinds of event:   Login failed: cli[5405]: <341004> <WARN> AP:ML_AP01 <................................>  Client 60:f2:62:8c:a8:a7 authenticate fail because RADIUS server authentication failure Login success: stm[5434]: <501093> <NOTI> AP:ML_AP01 <..................................> Auth success: 60:f2:62:8c:a8:a7: AP ...................................ML_AP01   My goal is to extract the mac address after "Client" in the first log and the mac after "Auth success" in the second one in a common field called "src", can someone please help me? Thanks in advance! ... View more

Hi, I have a lookup containing some admin users and I need to add some text like "ADS_" before the username to distinguish them from normal users. I tried: index=myindex tag=authentication | lookup Ads.csv Utenza AS username OUTPUT Gruppo | fillnull value=NULL | eval username=if(Gruppo="NULL",username, ADS_.username) | eval action=if(match(details_message,"opened a Web Portal"),"success",action) | search action=success dest_host!="- -" | stats count by username | sort count desc   what I'm missing?   Thanks in advance! ... View more