topic Windows Events Log in Splunk Search

Windows Events Log

ashishv — Sat, 29 Jan 2011 05:37:49 GMT

Hello list,

i have a requirement where i imported Windows Event log (CSV format) into splunk, and now i need to extract specific fields out of that log. i tried field extraction, newbie alert, and went no where... will appreciate if someone can help me in this..

requirement need to report on Logon id and Workstation type used by that Logon ID.

here's how the logs look like:

1:02:58.000 PM Information 12/30/2010 1:02:58 PM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.

Subject:

    Security ID:        SYSTEM

    Account Name:       XXXXXXXX

    Account Domain:     CORP

    Logon ID:       0x3e7

Logon Type:         8

New Logon:

    Security ID:        XXXX\XXXXX

    Account Name:       EEEEEEE

    Account Domain:     CORP

    Logon ID:       0x1d34affb6

    Logon GUID:     {8BBCB019-8C3B-F16A-8DBB-702C6D5840DE}

Process Information:

    Process ID:     0x2694

    Process Name:       C:\Windows\System32\inetsrv\w3wp.exe

Network Information:

    Workstation Name:   XXXXXXX

    Source Network Address: 11.11.11.11

    Source Port:        11099

Detailed Authentication Information:

    Logon Process:      Advapi  

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only):   -

    Key Length:     0

Re: Windows Events Log

ashishv — Sat, 29 Jan 2011 05:38:51 GMT

ahhh i dont know how this got formatted... all these vars are in separate lines.

Re: Windows Events Log

Ayn — Sat, 29 Jan 2011 05:43:08 GMT

Hm, that doesn't really look like proper CSV - for instance it doesn't have commas separating the fields!

But, the following regex should work for extracting the Logon ID:

Logon ID:\s*(?<logon_id>)\S+)

And correspondingly for Workstation Name:

Workstation Name:\s*(?<workstation_name>\S+)

Apply this using either the interactive field extractor, or by using the rex operator.

Re: Windows Events Log

ashishv — Tue, 01 Feb 2011 00:29:45 GMT

my bad, this is not a CSV, Windows Event log is saved as text log, and i imported in the splunk monitor using upload a local file.

not sure how to attach a file with this question...

Re: Windows Events Log

Ayn — Tue, 01 Feb 2011 05:09:45 GMT

Are these separate lines treated as separate events as well now, or do you have some line breaking rules in place that make sure they're all part of the same event? If it's the former I'd suggest that you look into the transaction command, perhaps something like "| transaction startswith='Subject:'". In the latter case the field extractions should work fine.

Re: Windows Events Log

mw — Wed, 02 Feb 2011 08:01:15 GMT

Do you have the Windows app installed? If not, I believe it should take care of all of these extractions for you. You can install it even if your splunk instance is on *nix.