topic Re: Field Extractions from the Message field in WinEventLog in Splunk Search

How to do field Extractions from the Message field in WinEventLog?

Skeer-Jamf — Thu, 26 Jan 2023 19:15:07 GMT

So after searching here it seems like a lot of people have trouble parsing/handling WinEventLogs. I want to ask if there is no better way than custom transforms and props?

That might be a debatable question to some so I'll be more targeted. I'm trying to extract parts of the Message field, here's a sanitized example:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{xxxxx-xxxx-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-01-25T22:35:16.209857600Z'/><EventRecordID>840762295</EventRecordID><Correlation ActivityID='{D610E4E9-2C97-0000-12E5-10D6972CD901}'/><Execution ProcessID='704' ThreadID='2404'/><Channel>Security</Channel><Computer>dc01.domain.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>DOMAIN\okta_service</Data><Data Name='SubjectUserName'>okta_service</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectLogonId'>0x31198f</Data><Data Name='TargetUserSid'>DOMAIN\Bob.Saget</Data><Data Name='TargetUserName'>bob.saget</Data><Data Name='TargetDomainName'>DOMAIN</Data><Data Name='TargetLogonId'>0x1578a0a1</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Advapi </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>DC01</Data><Data Name='LogonGuid'>{xxxxx-xx-D725-309C-788D104F655D}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x1658</Data><Data Name='ProcessName'>C:\Program Files (x86)\Okta\Okta AD Agent\OktaAgentService.exe</Data><Data Name='IpAddress'>1.2.3.4</Data><Data Name='IpPort'>-</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>

Namely at the bottom, <Data Name='IpAddress'>1.2.3.4</Data>

Now Im still using renderXml = true because when you look at the raw type.. that Message field is just so huge and practically impossible to define a field to me. Unless I'm wrong? Also as per my inputs file, the sourcetype for this is 'generic_single_line'.

Now I've tried Regex, and Delimiters and both give me errors about either selecting too many fields, or in the case of Delimiters (when I attempts to specify other and '<>', an entirely unholy wall-of-text which this tiny blurb at the end:

has exceeded the configured depth_limit, consider raising the value in limits.conf.

Or Im going about this all wrong and raw is the easiest to deal with?

Any help would be greatly appreciated!

Re: Field Extractions from the Message field in WinEventLog

yeahnah — Thu, 26 Jan 2023 04:25:36 GMT

Hi @Skeer-Jamf

Splunk provide the Splunk Add-on for Microsoft Windows app (https://classic.splunkbase.splunk.com/app/742/#/overview) which is configured with all the necessary extractions.

You'll need to configure your inputs to match the expected sourcetype for it to work of course. I would not use generic_single_line either. Use what Splunk define in the app.

You could also just pull out the configurations you need from this app and create you own app etc with your own unique sourcetypes etc.

Taking a quick look at the app myself, something like this, defined on the search head, should extract the field you want without to much issue.

transforms.conf

[eventdata_xml_block]
REGEX = (?ms)<EventData(?:\s+[^>]+)?>(.*?)<\/EventData>
FORMAT = EventData_Xml::$1
MV_ADD = 1

[eventdata_xml_data]
# Extracts from <Data Name='name'>value</Data> as name:value. Skips ComplexData tags
SOURCE_KEY = EventData_Xml
REGEX = <(\w+)\sName='([^>]*)'\/?>([^<]*)(?:<\/\1>)?
FORMAT = $2::$3
MV_ADD = 1

props.conf

[<your defined sourcetype for the xmlwineventlog>]
REPORT-xml_eventdata_extract = eventdata_xml_data

If you want to run this from any app then ensure the config is shared globally.

Anyway, hope this helps you on your way

Re: Field Extractions from the Message field in WinEventLog

Skeer-Jamf — Thu, 26 Jan 2023 12:58:50 GMT

Thanks @yeahnah

Disclaimer: I hav to apologize, I got myself confused between the WinEventLog://Directory Service and a new monitor stanza I added to ingest the Windows Firewall .log file. The latter is what's using the generic_single_line sourcetype. Apologies! I've built a dashboard using queries from both sources and I guess I just confabulated them together in my head.

I explored the link you posted.. I thought we were using this app, but when I look through the sourcetypes included with that I realized that all the servers inputs.conf files were set to a:

sourcetype = WinEventLogs (notice the s) versus singular WinEventLog

So I am correcting that mistake, which I hope was the kicker here 😉

Re: Field Extractions from the Message field in WinEventLog

Skeer-Jamf — Thu, 26 Jan 2023 13:54:22 GMT

So correcting the sourcetype might have done something.. looking at the Security logs for example. Choosing between the two sourcetypes: WinEventLogs and WinEventLog for the past 3 hours, the latter gives me one additional field to select from.

Looking at the WinEventLog://Directory Service however, actually is showing less fields to select from. I really didn't want to have to customize the transforms or props but there might be no choice now.

Re: Field Extractions from the Message field in WinEventLog

Skeer-Jamf — Thu, 26 Jan 2023 14:02:18 GMT

@yeahnah So both Props and Transforms are required to effect the change you describe right?

I created both files under $SPLUNKHOME/etc/system/local and bounced the service, Im now waiting for SC to update. By search head I assume you mean either the Heavy Forwarder, or teh Universal? In this case, it's the Universal as I do not have that sort of access to Splunk Cloud.

Re: Field Extractions from the Message field in WinEventLog

Skeer-Jamf — Thu, 26 Jan 2023 14:43:54 GMT

Should I be able to see references to those two bracketed 'variables' in transforms.conf in splunkd.log after restarting the service? Or maybe they are endpoint arguments? If so, I do not see them.

Re: Field Extractions from the Message field in WinEventLog

yeahnah — Fri, 27 Jan 2023 01:43:50 GMT

Hi @Skeer-Jamf

Sounds like you're on the right track now.

Note, if using the Splunk Windows app then it is probably best to not set the sourcetype in inputs.conf and let the default values flow through the system for these Windows events. As you've seen, having the wrong sourcetype value can affect downstream configurations.

The Splunk Windows app needs to be installed on the heavy forwarders and also the search head members (or Splunk Cloud - basically, where you run your search queries from). The app docs say the inputs.conf file should be removed when deployed to the search head/Splunk Cloud. For this type of Windows event sources I don't believe the app needs to be installed on the UF (not 100% sure on that) but no harm if it is. Basically, just need an inputs.conf entry on the UF to forward these Windows Directory Service events (assuming the UF is forwarding data correctly, as expected), e.g.

## Application and Services Logs - Directory Service
[WinEventLog://Directory Service]
disabled = 1
renderXml=true

If it is working correctly then the sourcetype should actually be getting set to XMLWinEventLog when it is searched and all these event fields will be auto extracted at search time OK.

If the sourcetype is not XMLWinEventLog then the auto extractions will not be working and you need to review each step (UF -> HF -> SC)