- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How To Filter Only administrator logins
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good evening, i have this problem to solve:
i've installed splunk web and a client machine with splunk heavy forwarder, how i can forward to indexer only administrators login?
we have more than one network administrator's users with this suffix: ??admin (instead question marks we have two letters)
i need only login-logout-failed login
unfortunately i don't understand how to config files works (and tecnical english is so difficult for me)
i've already read these links but i did't understand a lot, and the second link is uncomplete and it doesn't work.. (surely because i've lost a crucial part of setting)
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
this is my first time who i need to modify config files witouth UI
if you can tell me the right settings i would be grateful, thank you very much (and i apologize my possible grammar errors)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.
In props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue
Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!
Documentation here:
Keep specific events and discard the rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.
In props.conf:
[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing
In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue
Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!
Documentation here:
Keep specific events and discard the rest
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue
(Using backtics around the text to solve the "doesn't show backslash" problem)
And I can see that checking for the user name would be superior to testing for event codes...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize for my delay,
i've solved with this string:
[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue
the better way to index administrators' login for our needs
thank you very much for your advice
Angelo
p.s. the character "backslash" is not shown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there are other info requested:
LOGOFF ADMIN:
07/03/2012 03:04:33 PM
LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??dmin
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45129
Message=User Logoff:
User Name: ??admin
Domain: MyDomain
Logon ID: (0x0,0x3E0B1C4)
Logon Type: 10
FAILED LOGIN
07/03/2012 03:14:30PM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TEST-SPLUNK
User=SYSTEM
Sid=(deleted)
Sid Type=5
Category=2
CategoryString=Logon/Logoff
RecordNumber=45131
Message=Logon Failure:
Reason: Unknown user name or bad password
User Name: ??admin
Domain: MyDomain
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TEST-SPLUNK
Caller User Name: TEST-SPLUNK$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1744
Transited Services: -
Source Network Address: ....
Source Port: 65220
POWER USER LOGON
07/03/2012 03:18:30 PM
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=pa00623
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45139
Message=Successful Logon:
User Name: pa*****
Domain: MyDomain
Logon ID: (0x0,0x4064B5D)
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: TEST-SPLUNK
Logon GUID: {DELETED}
Caller User Name: TEST-SPLUNK$
Caller Domain: MyDomain
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2296
Transited Services: -
Source Network Address: ...
Source Port: 65253
I hope this could be useful to help me
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is an administrator login
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??admin
Sid=(deleted)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45077
Message=Successful Logon:
User Name:??admin
Domain: Mydomain
Logon ID:(Deleted)
Logon Type:10
Logon Process:User32
Authentication Package: Negotiate
Workstation Name:TEST-SPLUNK
Logon GUID:{deleted}
Caller User Name:TEST-SPLUNK$
Caller Domain: Mydomain Caller Logon ID: (deleted,deleted)
Caller Process ID: 2948
Transited Services: -
Source Network Address: ...
Source Port:52948
unfortunately i'm not in an office now to do power user login.. if it is necessary i'm going to do it more or less in 8 hours
i need to log also EventCode:529 (failure audit) and EventCode:538 (user logoff)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give us a small sample of the raw log file? You can change the server names, ip addresses, etc. for security, but it would be very helpful to see 3-5 lines of the log file. If possible, I would like to see at least one entry for an administrator login and one entry for a regular user login.
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
Modern way of developing distributed application using OTel
