topic Re: Windows Security Log Formatting in Getting Data In

Windows Security Log Formatting

jspatton — Mon, 17 Jun 2013 19:58:50 GMT

I'm looking to create a view of the number of user accounts that have been created in the domain in the past 24 hours. Here is my query, and my timeframe is last 24hrs.

sourcetype="WinEventLog:Security" AND EventCode=4720

The view that comes back is very abbreviated, I have to click show all 50 lines to get at the info I need. What I would like to see is the date, time, server, the user who created the account, and the created account name. This is trivial for me to do in powershell, but I'd like to have a nice dashboard that shows this for more users than just myself.

Re: Windows Security Log Formatting

kristian_kolb — Mon, 17 Jun 2013 20:27:35 GMT

you are aware of the table search command?

sourcetype=WinEventLog:Security EventCode=4720 | table _time host field1 field2 field3

The AND is implicated, and not needed in the search.

Re: Windows Security Log Formatting

jspatton — Mon, 17 Jun 2013 20:30:00 GMT

I get that, but I think the disconnect is that field1-3 only appear to live in the _raw data of the event. If you open up an event in the eventviewer, this is the data contained in the window that describes the event, such as a new user was created...does that make sense?

Re: Windows Security Log Formatting

kristian_kolb — Mon, 17 Jun 2013 21:39:06 GMT

Sorry, I don't use eventviewer much. Do you mean that the information you want is not being extracted into fields?

Re: Windows Security Log Formatting

jspatton — Mon, 17 Jun 2013 21:42:57 GMT

correct. its also not formatted terribly well either...sigh

Re: Windows Security Log Formatting

kristian_kolb — Mon, 17 Jun 2013 21:48:44 GMT

That's weird. Normally Windows events are extracted nicely. Is it not extracted at all or is it a multivalued field (i.e. there are two fields in _raw that are called "Account Name" or something similar)?

Please update your original question with a sample event. mask ip-addresses, hostnames etc as needed.

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 17:59:51 GMT

Sorry it's been so long since I've gotten back to this, but here is an example of what this event looks like.

http://social.technet.microsoft.com/wiki/contents/articles/17055.event-ids-when-a-new-user-account-is-created-on-active-directory.aspx

4720 is the first example and you can see how it looks, when I click show the next 50 lines, basically that is what I see. I'm trying to extract just the pertinent information that I specified in the original post.

Thanks,

Re: Windows Security Log Formatting

Ayn — Thu, 11 Jul 2013 18:13:27 GMT

You can grab whatever fields you want to see and create a table of that. Is that what you want?

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 18:19:17 GMT

That sounds right, but when I try to do that, it doesn't work, or more likely I don't know what I'm doing wrong. How would I do that?

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 18:36:56 GMT

I think what I want is to do field extraction, and ideally I would like to extract SAM Account Name, but when I do that in the field extraction page, it tells me that, "No regex could be learned. Try providing different examples or restriction"

Re: Windows Security Log Formatting

Ayn — Thu, 11 Jul 2013 18:45:03 GMT

Right. You might need to learn some regex-fu in order to be able to tell Splunk how to recognize your fields properly. For Windows event logs though, there's a bunch of extractions already in there that should be applied. Such as Account_Name for instance.

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 18:46:52 GMT

Account Name is, but with this particular event there are multiples of that, the first one is the account name used to create the second account name 😉 so, I would like pull in SAM Account Name, that doesn't appear to be a thing.

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 18:50:38 GMT

So I went to an online regex checker, pasted in the contents of the event, and just typed in SAM Account Name: as the search, and that worked.

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 18:50:57 GMT

Here is where I went.
http://regexhero.net/tester/

Re: Windows Security Log Formatting

antlefebvre — Thu, 11 Jul 2013 19:09:17 GMT

sourcetype="WinEventLog:Security" AND EventCode=4720 | eval AccountCreator=mvindex(Account_Name,0) | eval AccountCreated=mvindex(Account_Name,1)| table _time, host, AccountCreator, AccountCreated

The mvindex command will pull the values out for you into a new field name you create.

Re: Windows Security Log Formatting

jspatton — Thu, 11 Jul 2013 19:15:54 GMT

That is pretty awesome thanks! I also spoke with Darryl Burns from Splunk and his solution was to pipe the query through xmlkv, this maps out the underlying XML from Windows so Splunk can see those sub fields.

sourcetype="WinEventLog:Security" AND EventCode=4720| xmlkv

But I really like how you laid that out in table format!

Re: Windows Security Log Formatting

antlefebvre — Thu, 11 Jul 2013 20:27:52 GMT

Your question gave me the excuse to actually reprogram one of my dashes to correctly view authentications on a windows NPS server.

Re: Windows Security Log Formatting

mjkenney — Fri, 11 Mar 2016 14:36:03 GMT

this was driving me crazy. thanks!