topic Re: WIndows Event Line Break in Getting Data In

WIndows Event Line Break

arrowsmith3 — Mon, 28 Sep 2020 13:08:29 GMT

Have the following defined in my inputs.conf

[WinEventLog:Security]
disabled=0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

Have the following defined in my props.conf

[default]

BREAK_ONLY_BEFORE_DATE = True

Log File
01/18/2013 11:45:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=XXXX
TaskCategory=Logoff
OpCode=Info

-----Line Break is Occurring Here -----

RecordNumber=1173295928
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: XXX
Account Name: XXX
Account Domain: XXX
Logon ID: XXX
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Should be only breaking on the date however from above, its breaking at the Record number. This is happening on only 2 of my DC's, Splunk from what I can see is configured the same way on all 5 of my DC's. Anyone have any ideas on what this could be??

Thanks!

Michael

Re: WIndows Event Line Break

jodros — Fri, 18 Jan 2013 23:11:44 GMT

It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?

What might help is to define the TIME_FORMAT and possibly utilize the BREAK_ONLY_BEFORE in the props.conf for that sourcetype. Something like this might work:

props.conf on indexing server

[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

If this answer resolves your issue, please mark it as the accepted answer. Thanks.

Re: WIndows Event Line Break

arrowsmith3 — Sat, 19 Jan 2013 01:41:12 GMT

no it appears to be timestamped the same as the top half

Re: WIndows Event Line Break

jodros — Mon, 28 Sep 2020 13:08:53 GMT

I would still try the BREAK_ONLY_BEFORE to see if that resolves the issue. You don't have to try the TIME_FORMAT if the BREAK_ONLY_BEFORE resolves it.

Re: WIndows Event Line Break

arrowsmith3 — Tue, 22 Jan 2013 21:53:13 GMT

no go on either in the props.conf. Still showing the line break as indicated above.

Re: WIndows Event Line Break

jodros — Tue, 22 Jan 2013 23:13:01 GMT

Is it possible to include a sanitized props.conf?

Re: WIndows Event Line Break

arrowsmith3 — Mon, 28 Sep 2020 13:10:25 GMT

The only thing I have in my props.conf (etc/system/local ) file is what was given above.

[default]

[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

We are defining most of our regex extractions in the default search app. None of which are defined for windows, we have been using the default auto extractions for windows based logging and any search time regex when needed.

Re: WIndows Event Line Break

jodros — Mon, 28 Sep 2020 13:10:30 GMT

The TIME_FORMAT might not be needed. Also, I see some issues with the regex on the BREAK_ONLY_BEFORE. It might be due to formatting when you pasted into the comment. Please verify that the regex is exactly what I submitted earlier in the ticket.

Also, please be sure that this goes into the props.conf on the indexing server. Do you run a distributed Splunk environment, or single server instance?

Re: WIndows Event Line Break

arrowsmith3 — Mon, 28 Sep 2020 13:10:52 GMT

ok I added the stanza and BREAK_ONLY_BEFORE to our paired indexing servers

[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

Still the same issue, it only happens on 2 of the 5 DC's we have...strange.

Re: WIndows Event Line Break

arrowsmith3 — Mon, 28 Sep 2020 13:10:55 GMT

ok this is now working!!! Thank you so much for your time and effort on this!!

I didnt realize there was a custom sourcetype on our indexers for the windows security logs. Once I updated the sourcetype with the BREAK_ONLY_BEFORE statement, it works!!

Re: WIndows Event Line Break

jodros — Thu, 24 Jan 2013 19:42:02 GMT

Awesome! Glad I could help.