Archive

Problem with Windows Security logs field extractor

Engager

Hi guys,

I'm auditing a file server of my domain (access, read, write...) with Windows event logs and Splunk, and it is rather functional.

However I have a problem with the "intelligent file extraction".
A standard collected security log has the following structure:

06/23/2016 03:08:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=
TaskCategory=Partage de fichiers détaillé
OpCode=Informations
RecordNumber=20907498
Keywords=Succès de l’audit
Message=Un objet du partage réseau a été vérifié afin de savoir si l’accès souhaité peut être accordé au client.

Sujet :
ID de sécurité : ...
Nom du compte : Someone
Domaine du compte : ...
ID d’ouverture de session : ...

Informations sur le réseau :

Type d’objet : File
Adresse source : ...
Port source : ...

Informations de partage :
Nom de partage : ...
Chemin d’accès du partage : ...
Nom cible relatif : ...

Informations sur la demande d’accès :
Masque d’accès : ...
Accès : SYNCHRONIZE
Lecture données (ou liste de répertoire)
ReadAttributes

Résultat de la vérification d’accès :
SYNCHRONIZE: Accordé par D:(A;;FA;;;WD)
Lecture données (ou liste de répertoire): Accordé par D:(A;;FA;;;WD)
ReadAttributes: Accordé par D:(A;;FA;;;WD)

Here we have the "Accès" (access) field which have 3 values (it could be more, it depends of the user action on the file), a set of value corresponding to the real action of the user (write, save, read...).

My problem is the intelligent field extractor just consider Access is the first value, other values are considered as proper fields, since Windows Logs don't always use the same pattern...

I tried to manually extract fields, with the native Splunk functionnality or with the Field Extractor App. I don't know if my log is too long, but it is truncated after "ID de Sécurité" (Security ID).

Do you know how to do?

0 Karma

Esteemed Legend

Like this:

... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]{2}" | makemv delim="\n" Acesses
0 Karma

Engager

Thank's for your reply.

How can I manage the fact there is not always the same number or field? In my example there are 3 lines, but I have to manage other logs with more or less values.
Sometimes there are 5 fields, sometimes 1.
The only indicator is the blank line (\n\n or maybe \r\n\r\n) after the Access field.

0 Karma

Esteemed Legend

My answer creates a multi-valued field that can have many values, one for each item in the list. The double-newline terminator indicates the end of the list. Just try it.

0 Karma

Engager

It seems that doesn't work. I have tried modifying a little the expression, since the exact format is :

...
Informations sur la demande d’accès :
(1tab)Masque d’accès :(1tab)0x100081
(1tabs)Accès :(1space)(1tab)SYNCHRONIZE
(4tabs)Lecture données (ou liste de répertoire)
(4tabs)ReadAttributes

...

with tabulations, but without success.

0 Karma

Esteemed Legend

The only reason that I can see that it might now work is if there is whitespace between the newlines at the end so try this

 ... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]\s*[\r\n]" | makemv delim="\n" Acesses
0 Karma

Engager

It don't seem to work :(. The mystery is still running.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!