Getting Data In

How To Filter Only administrator logins

Explorer

Good evening, i have this problem to solve:
i've installed splunk web and a client machine with splunk heavy forwarder, how i can forward to indexer only administrators login?
we have more than one network administrator's users with this suffix: ??admin (instead question marks we have two letters)
i need only login-logout-failed login
unfortunately i don't understand how to config files works (and tecnical english is so difficult for me)

i've already read these links but i did't understand a lot, and the second link is uncomplete and it doesn't work.. (surely because i've lost a crucial part of setting)

http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad

http://splunk-base.splunk.com/answers/9076/how-to-configure-a-forwarder-to-filter-and-send-only-the-...

this is my first time who i need to modify config files witouth UI
if you can tell me the right settings i would be grateful, thank you very much (and i apologize my possible grammar errors)

0 Karma
1 Solution

Legend

First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.

In props.conf:

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue

Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!

Documentation here:

Keep specific events and discard the rest

View solution in original post

Legend

First, you need to know the sourcetype for this data. I assume that the sourcetype is WinEventLog:Security. Second, these configurations should go on the indexer(s) or heavy forwarder - not the Universal Forwarder.

In props.conf:

[WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = EventCode=(?:528| 529| 538)
DEST_KEY = queue
FORMAT = indexQueue

Please test this regular expression before committing this to production! I think I have it right, but my typing is not always the best!

Documentation here:

Keep specific events and discard the rest

View solution in original post

Legend

[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue

(Using backtics around the text to solve the "doesn't show backslash" problem)

And I can see that checking for the user name would be superior to testing for event codes...

0 Karma

Explorer

I apologize for my delay,

i've solved with this string:

[setparsing]
REGEX = User=(?:\w*admin\w*|Administrator)
DEST_KEY = queue
FORMAT = indexQueue

the better way to index administrators' login for our needs

thank you very much for your advice

Angelo

p.s. the character "backslash" is not shown

0 Karma

Explorer

there are other info requested:

LOGOFF ADMIN:
07/03/2012 03:04:33 PM

LogName=Security
SourceName=Security
EventCode=538
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??dmin
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45129
Message=User Logoff:

User Name: ??admin
Domain: MyDomain

Logon ID: (0x0,0x3E0B1C4)
Logon Type: 10

FAILED LOGIN

07/03/2012 03:14:30PM
LogName=Security
SourceName=Security
EventCode=529
EventType=16
Type=Failure Audit
ComputerName=TEST-SPLUNK
User=SYSTEM
Sid=(deleted)
Sid Type=5
Category=2
CategoryString=Logon/Logoff
RecordNumber=45131
Message=Logon Failure:

Reason: Unknown user name or bad password

User Name: ??admin
Domain: MyDomain

Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: TEST-SPLUNK
Caller User Name: TEST-SPLUNK$

Caller Domain: MyDomain

Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1744

Transited Services: -

Source Network Address: ....

Source Port: 65220

POWER USER LOGON

07/03/2012 03:18:30 PM
LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=pa00623
Sid=(DELETED)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45139
Message=Successful Logon:

User Name: pa*****
Domain: MyDomain

Logon ID: (0x0,0x4064B5D)
Logon Type: 10

Logon Process: User32

Authentication Package: Negotiate

Workstation Name: TEST-SPLUNK
Logon GUID: {DELETED}

Caller User Name: TEST-SPLUNK$

Caller Domain: MyDomain

Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 2296
Transited Services: -

Source Network Address: ...
Source Port: 65253

I hope this could be useful to help me
Thank You

0 Karma

Explorer

this is an administrator login

LogName=Security
SourceName=Security
EventCode=528
EventType=8
Type=Success Audit
ComputerName=TEST-SPLUNK
User=??admin
Sid=(deleted)
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=45077
Message=Successful Logon:
User Name:??admin
Domain: Mydomain
Logon ID:(Deleted)
Logon Type:10
Logon Process:User32

Authentication Package: Negotiate
Workstation Name:TEST-SPLUNK
Logon GUID:{deleted}
Caller User Name:TEST-SPLUNK$
Caller Domain: Mydomain Caller Logon ID: (deleted,deleted)
Caller Process ID: 2948
Transited Services: -
Source Network Address: ...
Source Port:52948

unfortunately i'm not in an office now to do power user login.. if it is necessary i'm going to do it more or less in 8 hours
i need to log also EventCode:529 (failure audit) and EventCode:538 (user logoff)

0 Karma

Legend

Can you give us a small sample of the raw log file? You can change the server names, ip addresses, etc. for security, but it would be very helpful to see 3-5 lines of the log file. If possible, I would like to see at least one entry for an administrator login and one entry for a regular user login.

0 Karma