Getting Data In

Filtering on Both EventCode and Logon Type for Forwarder

Scarecrowddb
Explorer

Hi All,

I'm presently forwarding a number of different events to a receiver. It's working fine for complete events, (i.e 4729, 4728 etc.) but I would like to be able to forward on Both the Event ID and Logon Type.

For example in the below log's the EventCode is 4624 but the Logon Type is 3. I would like to be able to select EventCode=4624 and Logon_Type=(2|10). I've tried the below however I can't get it to select anything... I'm also thinking that the actual Logon Type is actually in the Message Field... But I'm not sure about this one...

Any help would be appreciated!

---transforms.conf---

[WindowsLogonEvent675]
REGEX = (?msi)EventCode=4624.*(Message=Logon Type:*2|10)
DEST_KEY = _TCP_ROUTING
FORMAT = forwarder

---example event log---

20110307143629.000000
Category=12544
CategoryString=Logon
ComputerName=DomainController.company.com
EventCode=4624
EventIdentifier=4624
EventType=4
Logfile=Security
RecordNumber=17680457
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20110307043629.730128-000
TimeWritten=20110307043629.730128-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=An account was successfully logged on.

Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0

Logon Type: 3

New Logon: Security ID: S-1-5-21-1275210071-113007714-1343024091-24644

Process Information: Process ID: 0x0 Process Name: -

Network Information: Workstation Name:
Source Network Address: 10.10.10.10 Source Port: 2537

Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

1 Solution

Ayn
Legend

There seems to be a problem with your regex. The regex

(Message=Logon Type:*2|10)

will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).

Something like this should work:

REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)

View solution in original post

Ayn
Legend

There seems to be a problem with your regex. The regex

(Message=Logon Type:*2|10)

will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).

Something like this should work:

REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)

yannK
Splunk Employee
Splunk Employee

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security]
disabled = 0
blacklist=566,800-850

0 Karma

Scarecrowddb
Explorer

Thank you!!!!! That was driving me insane (which wasn't a long trip)!

Cheers!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...