<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Windows Event Logs and auto filed extraction in a Multilanguage environment. in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77618#M15883</link>
    <description>&lt;P&gt;Yep, good approach but if I would do it like this it would look like this:&lt;/P&gt;

&lt;P&gt;(?i)(?:AccountName|German|Frensh|Spain|Nederlands|Chineese…):[\t]+(?P&lt;ACCOUNT_NAME&gt;[^\t]+)&lt;/ACCOUNT_NAME&gt;&lt;/P&gt;

&lt;P&gt;Hard to handle and if I do not know which locals I have? The punctuation of the Events looking similar on every language, so maybe there is a way to “Overextract” the fieldnames…&lt;/P&gt;</description>
    <pubDate>Thu, 27 Jun 2013 13:43:40 GMT</pubDate>
    <dc:creator>ndcl</dc:creator>
    <dc:date>2013-06-27T13:43:40Z</dc:date>
    <item>
      <title>Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77616#M15881</link>
      <description>&lt;P&gt;Hi base,&lt;BR /&gt;
When I index win logs the automated filed extraction works great. When I haven an environment with English, French and German Windows parts of the Events will be also localized. Here one example:&lt;/P&gt;

&lt;P&gt;Category=14339&lt;/P&gt;

&lt;P&gt;CategoryString=Kerberos-Authentifizierungsdienst&lt;/P&gt;

&lt;P&gt;EventCode=4768&lt;/P&gt;

&lt;P&gt;EventIdentifier=4768&lt;/P&gt;

&lt;P&gt;EventType=4&lt;/P&gt;

&lt;P&gt;Logfile=Security&lt;/P&gt;

&lt;P&gt;RecordNumber=690090&lt;/P&gt;

&lt;P&gt;SourceName=Microsoft-Windows-Security-Auditing&lt;/P&gt;

&lt;P&gt;TimeGenerated=20130627093000.056463-000&lt;/P&gt;

&lt;P&gt;TimeWritten=20130627093000.056463-000&lt;/P&gt;

&lt;P&gt;Type=Überwachung erfolgreich&lt;/P&gt;

&lt;P&gt;User=NULL&lt;/P&gt;

&lt;P&gt;ComputerName=XXX.xx.xx&lt;/P&gt;

&lt;P&gt;wmi_type=WinEventLog:Security&lt;/P&gt;

&lt;P&gt;Message=Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.&lt;/P&gt;

&lt;P&gt;Kontoinformationen:&lt;BR /&gt;
Kontoname:              ResAdmin&lt;BR /&gt;
    Angegebener Bereichsname:       XXX&lt;BR /&gt;
    Benutzer-ID:                S-1-5-21-1582781344-2085187069&lt;/P&gt;

&lt;P&gt;Dienstinformationen:&lt;BR /&gt;
    Dienstname:             krbtgt&lt;BR /&gt;
    Dienst-ID:              S-1-5-21-1582781344-2085187069&lt;/P&gt;

&lt;P&gt;Netzwerkinformationen:&lt;BR /&gt;
    Clientadresse:              ::1&lt;BR /&gt;
    Clientport:             0&lt;/P&gt;

&lt;P&gt;Weitere Informationen:&lt;BR /&gt;
    Ticketoptionen:         0x40810010&lt;BR /&gt;
    Ergebniscode:               0x0&lt;BR /&gt;
    Ticketverschlüsselungstyp:     0x17&lt;BR /&gt;
    Typ vor der Authentifizierung:  2&lt;/P&gt;

&lt;P&gt;The Top of the Event seems to be Identical for every Language but at the bottom MS switch to local. This makes the creation of searches a little bit difficult. You have to use different Fieldnames for the same data for every localization. What is the best practice to get only English fieldnames?&lt;/P&gt;

&lt;P&gt;Thanks  &lt;/P&gt;</description>
      <pubDate>Thu, 27 Jun 2013 11:33:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77616#M15881</guid>
      <dc:creator>ndcl</dc:creator>
      <dc:date>2013-06-27T11:33:28Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77617#M15882</link>
      <description>&lt;P&gt;Have you tried using regular expressions like that:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;(?i)(?:Account Name|Kontoname):[\t]+(?P&amp;lt;account_name&amp;gt;[^\t]+)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;You could set multiple indicator strings before the extraction by using (?:A|B).&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jun 2013 13:15:36 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77617#M15882</guid>
      <dc:creator>FRoth</dc:creator>
      <dc:date>2013-06-27T13:15:36Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77618#M15883</link>
      <description>&lt;P&gt;Yep, good approach but if I would do it like this it would look like this:&lt;/P&gt;

&lt;P&gt;(?i)(?:AccountName|German|Frensh|Spain|Nederlands|Chineese…):[\t]+(?P&lt;ACCOUNT_NAME&gt;[^\t]+)&lt;/ACCOUNT_NAME&gt;&lt;/P&gt;

&lt;P&gt;Hard to handle and if I do not know which locals I have? The punctuation of the Events looking similar on every language, so maybe there is a way to “Overextract” the fieldnames…&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jun 2013 13:43:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77618#M15883</guid>
      <dc:creator>ndcl</dc:creator>
      <dc:date>2013-06-27T13:43:40Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77619#M15884</link>
      <description>&lt;P&gt;I don't think so. That's mainly a Windows problem you're trying to solve. But there is a way to change the language by which the Windows source systems send their logs using the "wevtutil" utility if you are using Windows Eventlog Forwarding (perhaps by group policy) - it's "wecutil ss SUSCRIPTION_NAME /cf:RenderedText /l:en-US". &lt;BR /&gt;
I don't know if there is perhaps a way to configure the forwarding to skip the XML rendering so that every incoming event is still raw XML and not yet rendered in a specific language.&lt;/P&gt;</description>
      <pubDate>Thu, 27 Jun 2013 14:01:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77619#M15884</guid>
      <dc:creator>FRoth</dc:creator>
      <dc:date>2013-06-27T14:01:37Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77620#M15885</link>
      <description>&lt;P&gt;Check &lt;A href="http://blogs.splunk.com/2013/06/17/windows-perfmon-and-internationalization/"&gt;this post&lt;/A&gt; from Adrian Hall. He advices to use a lookup on all the objects where a translation is needed. The difficulty is to have a lookup file with all the fields translated into the target language. Maybe this file will be release soon by Splunk.&lt;/P&gt;</description>
      <pubDate>Mon, 15 Jul 2013 20:31:49 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77620#M15885</guid>
      <dc:creator>michael_sanchez</dc:creator>
      <dc:date>2013-07-15T20:31:49Z</dc:date>
    </item>
    <item>
      <title>Re: Windows Event Logs and auto filed extraction in a Multilanguage environment.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77621#M15886</link>
      <description>&lt;P&gt;First I though this will help, but this solution translate the value of the field not the field itself.&lt;BR /&gt;
Thanks anyway...&lt;/P&gt;</description>
      <pubDate>Tue, 16 Jul 2013 08:54:31 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Logs-and-auto-filed-extraction-in-a-Multilanguage/m-p/77621#M15886</guid>
      <dc:creator>ndcl</dc:creator>
      <dc:date>2013-07-16T08:54:31Z</dc:date>
    </item>
  </channel>
</rss>

