https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249013#M99172 <P>if its Standard Windows Eventlogs, please use <A href="https://splunkbase.splunk.com/app/742/#/overview">Windows Addon (TA)</A><BR /> This will extract all the fields and is Common Information Model (CIM) compatible for future proof</P> Wed, 16 Mar 2016 15:58:57 GMT koshyk 2016-03-16T15:58:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249011#M99170 <P>Hello, I understand this question had been ask before in varies variations, but I am a newbie and I’m trying to filter out the following information below. I would like to keep everything after Logon Type 3 and before Detail Authentication and if possible filter everything else out. I am using Windows 7 and I don’t have an AD (Active Directory) and Windows Infrastructure won’t work since I don’t have an AD. I’m just using Splunk with add-ons. From the research I’ve done and been unsuccessful with, there is the regex expression or just entering in a better query. If it’s not possible to filter the areas I want out, I would settle for just getting rid of the paragraph at the button starting with: “This event is generated when a logon request fails”<BR /> Thank you</P> <P>03/13/2016 10:57:20 AM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4625<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=pedrt2012-PC<BR /> TaskCategory=Logon<BR /> OpCode=Info<BR /> RecordNumber=43158<BR /> Keywords=Audit Failure<BR /> Message=An account failed to log on</P> <P>Subject:<BR /> Security ID: S-1-0-0<BR /> Account Name: -<BR /> Account Domain: -<BR /> Logon ID: 0x0</P> <P>Logon Type: 3</P> <P>Account For Which Logon Failed:<BR /> Security ID: S-1-0-0<BR /> Account Name: pedro 2012<BR /> Account Domain: </P> <P>Failure Information:<BR /> Failure Reason: Unknown user name or bad password.<BR /> Status: 0xc000006d<BR /> Sub Status: 0xc000006a</P> <P>Process Information:<BR /> Caller Process ID: 0x0<BR /> Caller Process Name: -</P> <P>Network Information:<BR /> Workstation Name: 192.167.1.192<BR /> Source Network Address: -<BR /> Source Port: -</P> <P>Detailed Authentication Information:<BR /> Logon Process: NtLmSsp <BR /> Authentication Package: NTLM<BR /> Transited Services: -<BR /> Package Name (NTLM only): -<BR /> Key Length: 0</P> <P>This event is generated when a logon request fails. It is generated on the computer where access was attempted.</P> <P>The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.</P> <P>The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).</P> <P>The Process Information fields indicate which account and process on the system requested the logon.</P> <P>The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.</P> <P>The authentication information fields provide detailed information about this specific logon request.<BR /> - Transited services indicate which intermediate services have participated in this logon request.<BR /> - Package name indicates which sub-protocol was used among the NTLM protocols.<BR /> - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.<BR /> Collapse<BR /> host = pedro2012-PC source = WinEventLog:Security sourcetype = WinEventLog:Security</P> Tue, 15 Mar 2016 21:09:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249011#M99170 L06141 2016-03-15T21:09:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249012#M99171 <P>Hi there mate,</P> <P>Take a look at this, and you will probably understand how to strip the event as you wish. </P> <P>This example will remove event description. Add this to your props.conf and restart Splunk.</P> <PRE><CODE>[yoursourctype] SEDCMD-del_desc = s/(?mis)This event is generated.*$//g </CODE></PRE> <P>Or like this, to remove distinct types of event descriptions in the same regex.</P> <PRE><CODE>[yoursourctype] SEDCMD-del_desc = s/(?mis)(This event is generated|other_type_of desc_1|other_type_of_desc_2).*$//g </CODE></PRE> <P>Oh, and remember, events already indexed wont change after this but the new ones does.</P> <P>Hope it helps and let me know if it works.</P> Wed, 16 Mar 2016 14:47:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249012#M99171 alemarzu 2016-03-16T14:47:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249013#M99172 <P>if its Standard Windows Eventlogs, please use <A href="https://splunkbase.splunk.com/app/742/#/overview">Windows Addon (TA)</A><BR /> This will extract all the fields and is Common Information Model (CIM) compatible for future proof</P> Wed, 16 Mar 2016 15:58:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-Security-Event-Logs-Output/m-p/249013#M99172 koshyk 2016-03-16T15:58:57Z