Getting Data In

Help with Extracting WinEventLog Fields

hfernandez_
Path Finder

Hi Splunkers,

Has anyone seen this or something similar?  We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF.  Due to the logging system format, Splunk is not parsing the fields automatically. 

Here is a sample event:

 

Jun 11 12:00:08 LOGGING-SERVER.domain.com 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on.
	
	Subject:
		Security ID:		S-1-5-20
		Account Name:		WINSVR001-V$
		Account Domain:		AD
		Logon ID:		0x3e4
	
	Logon Type:			8
	
	New Logon:
		Security ID:		S-1-5-21-503695880-123456789-3595387526-4510
		Account Name:		jdoe
		Account Domain:		AD
		Logon ID:		0x139c67d30
		Logon GUID:		{F325D620-6114-0657-01BF-F25C4AD21656}
	
	Process Information:
		Process ID:		0x3f8
		Process Name:		D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
	
	Network Information:
		Workstation Name:	WINSVR001-V
		Source Network Address:	-
		Source Port:		-
	
	Detailed Authentication Information:
		Logon Process:		Advapi  
		Authentication Package:	Negotiate
		Transited Services:	-
		Package Name (NTLM only):	-
		Key Length:		0
	

 

 

We are using Splunk Add-on for Microsoft Windows 8.0.  Is it possible to modify the existing conf files to have the fields parsed?  Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event.

If you're up to the challenge, I'm looking for:

-Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format?

-Can some help me with the regex to parse all the wineventlog fields and values?

 

I appreciate the help in advance.

 

Thanks,

H

 

 

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...