Archive

How Can I Assign a Text Value Based on a Specific Error Code/EventType?

Path Finder

Greetings, I am using the following query:

index=[my index] host=[specific host] sourcetype=XmlWinEventLog:Security EventCode=4624 (LogonType=10 OR LogonType=2 OR LogonType=7)
|search user!="ANONYMOUS LOGON" user!="*$" user!="SYSTEM"
|rename _time AS Time, user AS User, LogonType AS "Logon Type", Computer AS Host
|sort -Time
|table Time, User, "Logon Type", Host
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

In the table output it lists the Logon Type's numerical value. I really want to change that to something my manager will understand. So I want a Logon Type of 10 to display "Remote Desktop Logon", 2 to display "Local Logon", etc. I'm sure there's an easy way to do it. However, I must not be using the correct search terms as I can find any threads with what I'm looking for. Can anyone help? Thanks.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

There are only 13 Logon Types (refer to https://technet.microsoft.com/en-in/library/cc787567(v=ws.10).aspx and https://msdn.microsoft.com/en-us/library/aa394189.aspx).

You can create a lookup table for the same.

System-(0)-Used only by the System account.
Interactive-(2)-Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.
Network-(3)-Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.
Batch-(4)-Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.
Service-(5)-Indicates a service-type logon. The account provided must have the service privilege enabled.
Proxy-(6)-Indicates a proxy-type logon.
Unlock-(7)-This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.
NetworkCleartext-(8)-Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
NewCredentials-(9)-Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.
RemoteInteractive-(10)-Terminal Services session that is both remote and interactive.
CachedInteractive-(11)-Attempt cached credentials without accessing the network.
CachedRemoteInteractive-(12)-Same as RemoteInteractive. This is used for internal auditing.
CachedUnlock-(13)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Path Finder

So this is what I ended up doing (it uses suggestions from a couple of the above posts):

index=[my index] host=[my hosts] sourcetype=XmlWinEventLog:Security EventCode=4624 (LogonType=10 OR LogonType=2 OR LogonType=7)
|search user!="ANONYMOUS LOGON" user!="*$" user!="SYSTEM"
|table _time, user, LogonType, Description, Computer
|lookup Logon.csv LogonType OUTPUT Description
|rename _time AS Time, user AS User, Computer AS Host, LogonType AS "Logon Type"
|sort -Time
|convert timeformat="%a %b %d, %Y %I:%M:%S %p" ctime(Time) As Time

I created a lookup.csv file with the three logon types and corresponding descriptions. I can always add more if necessary. So now my table shows Time, User, Logon Type, Description, and Host columns. I was hoping there was a way to get rid of the Description column and just replace the "Logon Type" result (e.g, 10,7, or 3) with the Description text. Thanks for the help. I'm not sure which reply would be the best "Accepted" answer.

0 Karma

Esteemed Legend

Make sure that you Up-Vote each answer that works and each comment that helped and then Accept the one that you used (even if it wasn't "the best" answer).

0 Karma

Esteemed Legend

You normally do this with lookups (usually automatic ones), but if you only have 3 cases, you can add this to your search.

... | eval BossLogonType = case((LogonType=10),"Remote Desktop Logon",
                                (LogonType=2), "Local Logon",
                                ...
                                true(), "UNKNOWN/ERROR")

Then use BossLogonType instead of LogonType.

0 Karma

SplunkTrust
SplunkTrust

Here's a run-anywhere example.

This makes test data -

| makeresults count=10 | streamstats count | rename count as LogonType

This is the join you need - you will need to fill out with the wording you want for each LogonType. Separate the types with four exclamation points just like this.

| join type=left LogonType [| makeresults | eval LogType="1=System!!!!2=Local Login!!!!3=Network!!!!4=Batch!!!!10=Remote Desktop Login!!!!5=Etc"| makemv delim="!!!!" LogType | mvexpand LogType | makemv delim="=" LogType | eval LogonDesc=mvindex(LogType,1) | eval LogonType=mvindex(LogType,0) | table LogonType LogonDesc]

This shows you your results.

| table LogonType LogonDesc

...which look like this...

LogonType LogonDesc     
1         System        
2         Local Login   
3         Network       
4         Batch         
5         Etc           
6                       
7                       
8                       
9                       
10        Remote Desktop Login
0 Karma

SplunkTrust
SplunkTrust

There are only 13 Logon Types (refer to https://technet.microsoft.com/en-in/library/cc787567(v=ws.10).aspx and https://msdn.microsoft.com/en-us/library/aa394189.aspx).

You can create a lookup table for the same.

System-(0)-Used only by the System account.
Interactive-(2)-Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.
Network-(3)-Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.
Batch-(4)-Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web servers. LogonUser does not cache credentials for this logon type.
Service-(5)-Indicates a service-type logon. The account provided must have the service privilege enabled.
Proxy-(6)-Indicates a proxy-type logon.
Unlock-(7)-This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.
NetworkCleartext-(8)-Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
NewCredentials-(9)-Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.
RemoteInteractive-(10)-Terminal Services session that is both remote and interactive.
CachedInteractive-(11)-Attempt cached credentials without accessing the network.
CachedRemoteInteractive-(12)-Same as RemoteInteractive. This is used for internal auditing.
CachedUnlock-(13)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post