topic Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs in Splunk Search

Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Tue, 16 Nov 2010 07:03:10 GMT

I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"

Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;

11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SERVERNAME$  <-- 1st occurrence
    Account Domain:     DOMAIN
    Logon ID:       0x3e7

Logon Type:         8

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       username    <-- 2nd occurrence
    Account Domain:     domain.name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1a40
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:   SERVERNAME
    Source Network Address: 11.22.33.44
    Source Port:        2453

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
<snip>

I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...

...but hear me out. It's not behaving as expected.

So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar

Here's the problem, this results in;

SERVERNAME$    <blank>

I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.

So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.

Can someone point me in the right direction? Thanks in advance.

Running 4.1.5 Linux x86_64

ziegfried Solution

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

bwooden — Wed, 17 Nov 2010 07:23:42 GMT

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

hulahoop — Mon, 28 Sep 2020 09:21:01 GMT

When you show Account_Name as an enabled field in the Event Viewer, do you get multiple occurrences of Account_Name or just 1 occurrence with the value being the 1st extraction (SERVERNAME$)?

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Thu, 18 Nov 2010 00:49:17 GMT

added results of your query to the original post. sure wish there was a code tag function in comments. thanks for your help so far.

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Thu, 18 Nov 2010 00:56:43 GMT

Account_Name in the Events Table/View shows the 1st occurrence which typically is "-" or SERVERNAME$

I am correct in my understanding that the Events view/table, you can not display custom/new variables? Those will only display in the Results view/table?

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

ziegfried — Thu, 18 Nov 2010 01:06:01 GMT

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Thu, 18 Nov 2010 03:21:35 GMT

thank you bwooden! your rex helped.

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Sat, 20 Nov 2010 02:48:11 GMT

wanted_account in the Results Table returns blank for this query.

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

ziegfried — Sat, 20 Nov 2010 22:18:31 GMT

I've forgot to add the multiline and dot-all flag to the regex. I've edited the search expression above.

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

pstraw — Sun, 21 Nov 2010 02:13:54 GMT

your query is working now. edit to remove the stray in EventCode<="537"

Re: Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

aberdamy — Mon, 28 Sep 2020 16:21:35 GMT

How do I combine this with the "User_Name" field from the Windows 2003 "529" events? I want to create a top 10 count by the UserName + Account_Name