- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Can't works whitelist with event log 4624
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I saw many answers to the same questions, but I can't see the work solution.
Can you help me with that:
I need send from forward to splunk server the windows event 4624 logs only with Account information which start from $$
I tried use:
whitelist1 = EventCode="4624" Message=".Account\sName:\s+^ +\$$)"
But it didn't help me 😞
Example Windows Log:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: XXX02019$
Account Domain: EU1
Logon ID: 0x3E7
Logon Type: 7
Impersonation Level: Impersonation
New Logon:
Security ID: EU1\$$atyshke1
Account Name: $$ATYSHKE1
Account Domain: EU1
Logon ID: 0xD2DC383
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x41b4
Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: XXX02019
Source Network Address: XX.XXX.XX.XXX
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf - http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Look at the Windows Event Log Monitor Section
Example from inputs.conf documentation:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
Follow this pattern for your EventCode and Account Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will try
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But it doesn't help. I tried.
I found that code:
whitelist1 = EventCode="4624" Message="Account Name:\s+[$]\S*"
It seems works some time only
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean that I need find any Account Name with start double symbols $$
For example I have account with name $$atyshke1
I tried a code:
whitelist1 = EventCode="4624" Message="Account Name:\s+[$]+[$]\S*"
But splunk show me all accounts with one symbol $ and account without this symbol
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With + between the $ signs, it will match between 1 or more
Try testing this:
whitelist = EventCode=%^4624$% Message=%Account\sName:\s+\$\$.*%
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inputs.conf - http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
Look at the Windows Event Log Monitor Section
Example from inputs.conf documentation:
whitelist = EventCode=%^200$% User=%jrodman%
Include events only if they have EventCode 200 and relate to User jrodman
Follow this pattern for your EventCode and Account Name
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
