Hi Splunkers,
Has anyone seen this or something similar? We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF. Due to the logging system format, Splunk is not parsing the fields automatically.
Here is a sample event:
Jun 11 12:00:08 LOGGING-SERVER.domain.com 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on.
Subject:
Security ID: S-1-5-20
Account Name: WINSVR001-V$
Account Domain: AD
Logon ID: 0x3e4
Logon Type: 8
New Logon:
Security ID: S-1-5-21-503695880-123456789-3595387526-4510
Account Name: jdoe
Account Domain: AD
Logon ID: 0x139c67d30
Logon GUID: {F325D620-6114-0657-01BF-F25C4AD21656}
Process Information:
Process ID: 0x3f8
Process Name: D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
Network Information:
Workstation Name: WINSVR001-V
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
We are using Splunk Add-on for Microsoft Windows 8.0. Is it possible to modify the existing conf files to have the fields parsed? Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event.
If you're up to the challenge, I'm looking for:
-Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format?
-Can some help me with the regex to parse all the wineventlog fields and values?
I appreciate the help in advance.
Thanks,
H
