Getting Data In

Help with Extracting WinEventLog Fields

Path Finder

Hi Splunkers,

Has anyone seen this or something similar?  We are collecting Windows Events Logs from Windows servers via a logging tool and they are being forwarded to a Splunk HF.  Due to the logging system format, Splunk is not parsing the fields automatically. 

Here is a sample event:


Jun 11 12:00:08 1 2020-06-11T19:00:03.529Z WINSVR001 - - - [Originator@6876 eventid="4624" task="Logon" keywords="Audit Success" level="Information" channel="Security" opcode="Info" eventrecordid="383694869" providername="Microsoft-Windows-Security-Auditing"] An account was successfully logged on.
		Security ID:		S-1-5-20
		Account Name:		WINSVR001-V$
		Account Domain:		AD
		Logon ID:		0x3e4
	Logon Type:			8
	New Logon:
		Security ID:		S-1-5-21-503695880-123456789-3595387526-4510
		Account Name:		jdoe
		Account Domain:		AD
		Logon ID:		0x139c67d30
		Logon GUID:		{F325D620-6114-0657-01BF-F25C4AD21656}
	Process Information:
		Process ID:		0x3f8
		Process Name:		D:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
	Network Information:
		Workstation Name:	WINSVR001-V
		Source Network Address:	-
		Source Port:		-
	Detailed Authentication Information:
		Logon Process:		Advapi  
		Authentication Package:	Negotiate
		Transited Services:	-
		Package Name (NTLM only):	-
		Key Length:		0



We are using Splunk Add-on for Microsoft Windows 8.0.  Is it possible to modify the existing conf files to have the fields parsed?  Using the add-on with all the defined fields will integrate with CIM and ES nicely. I'm trying to avoid reinventing the wheel and doing a brute force regex on the whole event.

If you're up to the challenge, I'm looking for:

-Is it possible to modify the Splunk Add-on for Microsoft Windows 8.0 to recognize the above wineventlog format?

-Can some help me with the regex to parse all the wineventlog fields and values?


I appreciate the help in advance.







Labels (1)
0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...