I've been able to get the data from the AppLocker log into Splunk. A search with the data source piped into | xmlkv
results in the expected result. I am trying to get the data into separate fields so | xmlkv
does not have to be used. I've entered KV_mode=xml
in props.conf for the datasource, which does not work. I've also tried writing regex and transforms, but have not been successful with either. The end result I am going for is to have Splunk parse out the different fields. Plz....haaalp....I'm very new to Splunk and have been trying over the last few days to solve this.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-AppLocker' Guid='{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'/>
<EventID>8002</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2016-05-16T18:31:15.732349300Z'/>
<EventRecordID>441</EventRecordID>
<Correlation/>
<Execution ProcessID='4164' ThreadID='5772'/>
<Channel>Microsoft-Windows-AppLocker/EXE and DLL</Channel>
<Computer>xxxxxxxxxxxxxxxxxxx</Computer>
<Security UserID='S-0-0-00-0000000000-0000000000-00000000-000000'/>
</System>
<UserData>
<RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'>
<PolicyName>EXE</PolicyName>
<RuleId>{A61C8B2C-A319-4CD0-9690-D2177CAD7B51}</RuleId>
<RuleName>(Default Rule) All files located in the Windows folder</RuleName>
<RuleSddl>D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains "%WINDIR%\*"))</RuleSddl>
<TargetUser>S-0-0-00-0000000000-0000000000-00000000-000000</TargetUser>
<TargetProcessId>4904</TargetProcessId>
<FilePath>%SYSTEM32%\NOTEPAD.EXE</FilePath>
<FileHash>0000000000000000000000000000000000000000000000000000000000000000</FileHash>
<Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\NOTEPAD.EXE\6.3.9600.17930</Fqbn>
</RuleAndFileData>
</UserData>
Do you have the Splunk Add-on for Microsoft Windows ( https://splunkbase.splunk.com/app/742 ) installed on your Search Head?
It defines the following sourcetype stanza in props.conf which I believe should auto extract this for you (given that your sourcetype is "XmlWinEventLog:*"):
[(?::){0}XmlWinEventLog:*]
If this doesn't work out of the box with the add-on, could you try adding the following to Splunk_TA_windows?
local/transforms.conf:
[userdata_props_xml_kv]
# Extracts anything in the form of <tag>value</tag> as tag::value
SOURCE_KEY = UserData_Xml
REGEX = (?ms)<(\w*)>([^<]*)<\/\1>
FORMAT = $1::$2
MV_ADD = 1
local/props.conf:
[(?::){0}XmlWinEventLog:*]
REPORT-1xml_kv_extract = userdata_props_xml_kv
This is untested in Splunk but I tested the regex in an online regex tool and I could see the fields extracted
Hi,
Add below parameter in inputs.conf to render events in xml,
[stanza]
index=index_name
renderXml=true # this parameter will do trick.
I'm having the same exact issue. Were you able to solve this?