https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17875#M2389 <P>I'm attempting to reports &amp; alert on file changes/deletes using Windows Object Access/File System auditing. I see the events coming through Splunk, but I'm struggling to get the events from Windows 2003 &amp; Windows 2008 to show up in one saved search since the EventCode is different. I just need to show events from user accounts that are not service/SYSTEM.</P> <P>I saw where I may be able to use transactions, so I built the query below.</P> <PRE><CODE>index="testindex" sourcetype="WinEventLog:Security" | transaction EventCode maxspan=1m maxpause=30 | where (CategoryString="Object Access" OR TaskCategory="File System") AND LIKE (Message, "%WriteData%") AND NOT LIKE (User, "SYSTEM") AND NOT LIKE (Message, "%Account Name:%SYSTEM%") </CODE></PRE> <P>It seems to work somewhat. Admittedly I don't fully understand transactions. Any help is appreciated. Splunk 4.1.6 on Windows Server 2008.</P> Fri, 24 Dec 2010 00:12:55 GMT jdoles 2010-12-24T00:12:55Z https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17875#M2389 <P>I'm attempting to reports &amp; alert on file changes/deletes using Windows Object Access/File System auditing. I see the events coming through Splunk, but I'm struggling to get the events from Windows 2003 &amp; Windows 2008 to show up in one saved search since the EventCode is different. I just need to show events from user accounts that are not service/SYSTEM.</P> <P>I saw where I may be able to use transactions, so I built the query below.</P> <PRE><CODE>index="testindex" sourcetype="WinEventLog:Security" | transaction EventCode maxspan=1m maxpause=30 | where (CategoryString="Object Access" OR TaskCategory="File System") AND LIKE (Message, "%WriteData%") AND NOT LIKE (User, "SYSTEM") AND NOT LIKE (Message, "%Account Name:%SYSTEM%") </CODE></PRE> <P>It seems to work somewhat. Admittedly I don't fully understand transactions. Any help is appreciated. Splunk 4.1.6 on Windows Server 2008.</P> Fri, 24 Dec 2010 00:12:55 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17875#M2389 jdoles 2010-12-24T00:12:55Z https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17876#M2390 <P>In places where Win2008 event codes are different from Win2003, it's usually just by an offset of 4096. You just need to create a new field that has the equivalent codes for comparison.</P> <P>Also, try to filter out as much as possible in your initial search string instead of using <CODE>where</CODE>. Doing so is almost always a good idea, but can make a particularly big difference when using <CODE>transaction</CODE>.</P> <P>Something like:</P> <PRE><CODE>index="testindex" sourcetype"WinEventLog:Security" CategoryString="Object Access" OR TaskCategory="File System" "*WriteData*" NOT User="System" NOT "Account Name: SYSTEM" | eval ComparisonCode=if(EventCode&lt;4096, EventCode+4096, EventCode) | transaction maxspan=1m maxpause=30 ComparisonCode </CODE></PRE> Fri, 24 Dec 2010 02:22:15 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17876#M2390 southeringtonp 2010-12-24T02:22:15Z https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17877#M2391 <P>Excellent! I never made the connection regarding the offset. The search string was a huge help.<BR /> Thanks again for the help.</P> Mon, 27 Dec 2010 20:52:56 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17877#M2391 jdoles 2010-12-27T20:52:56Z https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17878#M2392 <P>On newer systems EventCode 560 is the key. <BR /> Check out these links:<BR /> <A href="http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/">http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/</A></P> <P><A href="http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/">http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/</A></P> <P><A href="http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=560">http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=560</A></P> <P><A href="http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/+++http://www.intelliadmin.com/index.php/2008/03/use-auditing-to-track-who-deleted-your-files/++http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=560++http://social.technet.microsoft.com/forums/windowsserver/en-US/ed94f9ca-586a-44a2-a6fc-03a97a8ae8ab/start-audit-logs-on-the-server-for-deleted-files">http://social.technet.microsoft.com/forums/windowsserver/en-US/ed94f9ca-586a-44a2-a6fc-03a97a8ae8ab/start-audit-logs-on-the-server-for-deleted-files</A></P> Tue, 23 Sep 2014 11:21:26 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-File-System-Auditing/m-p/17878#M2392 mcronkrite 2014-09-23T11:21:26Z