Hi All, Currently in splunk, many of the windows log have multiple account ,domains,names etc and they all parse the same way.
index=windows sourcetype="WinEventLog:Security" EventCode=4728 LogName=Security SourceName=Microsoft Windows security auditing. EventCode=4728 EventType=0 Type=Information ComputerName=VMDC01.XXXXXXs.com TaskCategory=Security Group Management OpCode=Info RecordNumber=666661820 Keywords=Audit Success Message=A member was added to a security-enabled global group. Subject: Security ID: XXXXX\TEST01 Account Name: TEST01 Account Domain: TEST Logon ID: 0xB7D860D0 Member: Security ID: XXXXXX\HXXX005 Account Name: CN=LXXXX\, Lucy,OU=Disabled Users,DC=XXXXXXs,DC=com Group: Security ID: XXXXXX\OutlookCachedModeUsers Group Name: OutlookCachedModeUsers Group Domain: XXXXXX Additional Information: Privileges:
The resulting logs have a "Group", "Subject" and "Member" that all have a "Security ID" field in them. These need to be parsed individually as GroupSecurityID, SubjectSecurityID, and MemberSecurityID. This should be done for each sub-field.
Kindly guide me on this.
Hey, if you configure the input to render the logs as XML, the fields will have proper unique names, instead of what you experienced.
You could also do this manually for all of them, but it's some work and not very flexible.
xpac, thanks for your response, but i am not sure whether you had understood the requirement correctly or not. we need below details to be parsed as an individual field in splunk.
Security ID: XXXXX\TEST01
Account Name: TEST01
Account Domain: TEST
Logon ID: 0xB7D860D0
SubjectSecurityID, SubjectSecurityAccount Name, SubjectSecurity _Account Domain and SubjectSecurity_LogonID
So kindly guide me on how to get this.
Any help on this will be much appreciated !!!
I would not use xml rendered events unless (1) there is data you need in the EventData subsection of XML that is not also in the Message field or (2) your Splunk users are competent with t-stats based event data exploration. XML field extraction is incredibly expensive at search time for dense data sets like the windows security logs.
Here is a query I use to differentiate between the subject and member security ids. In cases where differentiation matters I do not rely on SplunkTAWindows auto-extractions. I used custom field extractions instead.
sourcetype=WinEventLog:Security EventCode=4728 | rex field=Message "(?<summary>.*)" | rex field=Message "Subject:\s+Security ID:\s+(?<Subject_Security_ID>.*)\s+Account Name:\s+(?<Subject_Account_Name>.*)\s+Account Domain:\s+(?<Subject_Account_Domain>.*)\s+Logon ID:\s+(?<Subject_Logon_ID>.*)" | rex field=Message "Member:\s+Security ID:\s+(?<Member_Security_ID>.*)\s+Account Name:\s+(?<Member_Account_Account_Name>.*)" | rex field=Message "Group:\s+Security ID:\s+(?<Group_Security_ID>.*)\s+Group Name:\s+(?<Group_Group_Name>.*)\s+Group Domain:\s+(?<Group_Group_Domain>.*)" | table _time host sourcetype EventCode summary, Subject_Security_ID, Subject_Account_Name, Subject_Account_Domain, Subject_Logon_ID, Member_Security_ID Member_Account_Account_Name Group_Security_ID Group_Group_Name Group_Group_Domain
thanks dstaulcu for your effort on this. Actually my client wants to get this filed value auto extracted instead executing the query by the end users. So could you please guide me on how to create a props & transforms stanza in order to get above same results automatically, with out executing the customized query.
thanks in advance.
can't think of a way to do that off hand but I will challenge myself to figure it out.
thanks dstaulcu, I am trying to seek help from xpac on this.
Hi dstaulcu, thanks and sincerely appreciate for your time and effort. great work !!!
hey do I need to upload all the file which are present in the github to the SplunkTAwindows app folder to achieve the results. Kindly guide me on this.