Hi All,
I'm presently forwarding a number of different events to a receiver. It's working fine for complete events, (i.e 4729, 4728 etc.) but I would like to be able to forward on Both the Event ID and Logon Type.
For example in the below log's the EventCode is 4624 but the Logon Type is 3. I would like to be able to select EventCode=4624 and Logon_Type=(2|10). I've tried the below however I can't get it to select anything... I'm also thinking that the actual Logon Type is actually in the Message Field... But I'm not sure about this one...
Any help would be appreciated!
---transforms.conf---
[WindowsLogonEvent675]
REGEX = (?msi)EventCode=4624.*(Message=Logon Type:*2|10)
DEST_KEY = _TCP_ROUTING
FORMAT = forwarder
---example event log---
20110307143629.000000
Category=12544
CategoryString=Logon
ComputerName=DomainController.company.com
EventCode=4624
EventIdentifier=4624
EventType=4
Logfile=Security
RecordNumber=17680457
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20110307043629.730128-000
TimeWritten=20110307043629.730128-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=An account was successfully logged on.
Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
New Logon: Security ID: S-1-5-21-1275210071-113007714-1343024091-24644
Process Information: Process ID: 0x0 Process Name: -
Network Information:
Workstation Name:
Source Network Address: 10.10.10.10
Source Port: 2537
Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
There seems to be a problem with your regex. The regex
(Message=Logon Type:*2|10)
will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).
Something like this should work:
REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)
There seems to be a problem with your regex. The regex
(Message=Logon Type:*2|10)
will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).
Something like this should work:
REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
example:
[WinEventLog:Security]
disabled = 0
blacklist=566,800-850
Thank you!!!!! That was driving me insane (which wasn't a long trip)!
Cheers!