I'm trying to create a dashboard based on a number of Windows events and I have been banging my head up against this one all day.
The event structure is always similar to:
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=$computername
TaskCategory=Logon
OpCode=Info
RecordNumber=299255
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: No
Impersonation Level: Impersonation
New Logon:
Security ID: $DOMAIN\$username
Account Name: $username
Account Domain: $FQDN
Logon ID: $LOGON_ID
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: $LOGON_GUID
I've been trying to extract the Security IDs as two separate fields and so far, in this particular context, I have failed. I've tried a number of things. The closest i've gotten is using a field transformation to combine the two and then splitting. However, the split is not always on the same delimiter, e.g. some Security IDs have a space between, so I can't split on that.
I actually have this working for a different check using the following:
index=wineventlog EventCode=4740 | eval temp=split(member_id,"$DOMAIN\\") | eval "Locked Account"=mvindex(temp,1) | rename Caller_Computer_Name as "Lockout Source",_time as "Lockout Event Time" | convert ctime("Lockout Event Time") | table "Lockout Event Time", "Locked Account", "Lockout Source"
(member_id is a concatenation of both Security_IDs)
However, this doesn't work for the above example because the 2nd Security ID is not always $DOMAIN\$username.
Hope this makes sense!
Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it
[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s
M.
Have you tried extracting the Security IDs by creating a new field representing the parent? We had the same problem, users wanted to have a distinct field for each Security IDs and we used an extract in Props.conf to do it
[WinEventLog:Security]
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P<Subject_Security_ID>(.*?))\s*Account Name:\s*(?P<Subject_Account_Name>(.*?))\s*Account Domain:\s*(?P<Subject_Account_Domain>.*?)\s*Logon ID:\s*(?P<Subject_Logon_ID>\S*?)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s*(?P<Group_Security_ID>(.*?))\s*Group Name:\s*(?P<Group_Group_Name>(.*?))\s*Group Domain:\s*(?P<Group_Group_Domain>(\S*?))\s
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P<NLogon_Security_ID>(.*?))\s*Account Name:\s*(?P<NLogon_Account_Name>(.*?))\s*Account Domain:\s*(?P<NLogon_Account_Domain>(\S*?))\s+Logon ID:\s*(?P<NLogon_Logon_ID>\S*?)\s
M.
Hi @gopenshaw,
It looks like this user mdelwaide provided the answer you were looking for. I converted their comment to an answer so that you could approve it.
Thanks!
Oddly if I create these from the WebUI the exact same config in put into props.conf but it seems to be working fine. Thanks for your help
Thanks mdelwaide, this is exactly what I was looking for. I have applied this to our props.conf however the results from a sourcetype="WinEventLog:Security" don't bring up these additional fields.
I have added this to /opt/splunk/etc/apps/Splunk_TA_windows/local/props.conf, and I can see using btool that it has been loaded:
[splunk@ Splunk_TA_windows]$ /opt/splunk/bin/splunk cmd btool props list WinEventLog:Security | grep -i extract
EXTRACT-ACCLOCKOUT_SUB_Extract = Account That Was Locked Out:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.))
EXTRACT-Account_Creator,Account_Created = (?m)(?s)Account\sName+?:\s+(?[a-zA-Z0-9-_]+).*Account\sName:\s+(?[a-zA-Z0-9-_]+)
EXTRACT-GROUP_SUB_Extract = Group\s?:\s+Security ID:\s(?P(.?))\s*Group Name:\s(?P(.?))\s*Group Domain:\s(?P(\S*?))\s
EXTRACT-NEWACCOUNT_SUB_Extract = New Account:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*))
EXTRACT-NEWLOGON_SUB_Extract = New Logon:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P(\S*?))\s+Logon ID:\s*(?P\S*?)\s
EXTRACT-SUBJECT_SUB_Extract = Subject\s?:\s+Security ID:\s*(?P(.?))\s*Account Name:\s(?P(.?))\s*Account Domain:\s(?P.?)\s*Logon ID:\s(?P\S*?)
Any ideas?