topic Re: Problem with Windows Security logs field extractor in Splunk Search

Problem with Windows Security logs field extractor

Aexyn — Thu, 23 Jun 2016 13:46:17 GMT

Hi guys,

I'm auditing a file server of my domain (access, read, write...) with Windows event logs and Splunk, and it is rather functional.

However I have a problem with the "intelligent file extraction".
A standard collected security log has the following structure:

06/23/2016 03:08:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=
TaskCategory=Partage de fichiers détaillé
OpCode=Informations
RecordNumber=20907498
Keywords=Succès de l’audit
Message=Un objet du partage réseau a été vérifié afin de savoir si l’accès souhaité peut être accordé au client.

Sujet :
ID de sécurité : ...
Nom du compte : Someone
Domaine du compte : ...
ID d’ouverture de session : ...

Informations sur le réseau :

Type d’objet : File
Adresse source : ...
Port source : ...

Informations de partage :
Nom de partage : ...
Chemin d’accès du partage : ...
Nom cible relatif : ...

Informations sur la demande d’accès :
Masque d’accès : ...
Accès : SYNCHRONIZE
Lecture données (ou liste de répertoire)
ReadAttributes

Résultat de la vérification d’accès :
SYNCHRONIZE: Accordé par D:(A;;FA;;;WD)
Lecture données (ou liste de répertoire): Accordé par D:(A;;FA;;;WD)
ReadAttributes: Accordé par D:(A;;FA;;;WD)

Here we have the "Accès" (access) field which have 3 values (it could be more, it depends of the user action on the file), a set of value corresponding to the real action of the user (write, save, read...).

My problem is the intelligent field extractor just consider Access is the first value, other values are considered as proper fields, since Windows Logs don't always use the same pattern...

I tried to manually extract fields, with the native Splunk functionnality or with the Field Extractor App. I don't know if my log is too long, but it is truncated after "ID de Sécurité" (Security ID).

Do you know how to do?

Re: Problem with Windows Security logs field extractor

woodcock — Fri, 24 Jun 2016 00:17:33 GMT

Like this:

... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]{2}" | makemv delim="\n" Acesses

Re: Problem with Windows Security logs field extractor

Aexyn — Fri, 24 Jun 2016 07:00:17 GMT

Thank's for your reply.

How can I manage the fact there is not always the same number or field? In my example there are 3 lines, but I have to manage other logs with more or less values.
Sometimes there are 5 fields, sometimes 1.
The only indicator is the blank line (\n\n or maybe \r\n\r\n) after the Access field.

Re: Problem with Windows Security logs field extractor

woodcock — Fri, 24 Jun 2016 16:43:35 GMT

My answer creates a multi-valued field that can have many values, one for each item in the list. The double-newline terminator indicates the end of the list. Just try it.

Re: Problem with Windows Security logs field extractor

Aexyn — Mon, 27 Jun 2016 06:37:31 GMT

It seems that doesn't work. I have tried modifying a little the expression, since the exact format is :

...
Informations sur la demande d’accès :
(1tab)Masque d’accès :(1tab)0x100081
(1tabs)Accès :(1space)(1tab)SYNCHRONIZE
(4tabs)Lecture données (ou liste de répertoire)
(4tabs)ReadAttributes

...

with tabulations, but without success.

Re: Problem with Windows Security logs field extractor

woodcock — Mon, 27 Jun 2016 13:07:13 GMT

The only reason that I can see that it might now work is if there is whitespace between the newlines at the end so try this

 ... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]\s*[\r\n]" | makemv delim="\n" Acesses

Re: Problem with Windows Security logs field extractor

Aexyn — Wed, 29 Jun 2016 06:40:27 GMT

It don't seem to work :(. The mystery is still running.