I am trying to monitor our User Account logon activity through Splunk. As you might know, Active directory creates a huge amount of account logon events when a computer tries to access the network and does account activities as well. The only difference is that the Computer accounts have a "$" at the end of their names. this behavior will cause a lot of confusion for the teams when they are monitoring the environments for "Real" user activities.
I was thinking to create a field at indexing time "using an index time transform" to tag accounts with a $ in their names.
Here is the relevant part of the config in transforms.conf, props.conf and Fields.conf
[AD_Computer] REGEX = (?ms)\s+((Logon Account|Account Name):\s+\w+(\$)) \\this Regex will search for $ in the Account Name or Logon Account FORMAT = AD_Server::1 WRITE_META = True
and the Fields.conf
[AD_Server] INDEXED = true
here are the problems now:
1- The new tag "ADServer"can not be found in the list of fields, but if I type "ADServer=1" in the search bar, then i see some results.
2- the main purpose of this new field/tag was to be able to exclude the computer accounts from the search. However, when i add:
"AD_Server!=1" no results are returned!!
is there a way to say, if the Regex does not match a $, then the value for AD_Server is zero?
I was wondering if you have a better method to filter out these computer accounts or make the method i explained work properly.
Thanks for your help.
What's wrong with filtering names at search time?
index=wineventlog sourcetype=WinEventLog:Security NOT Account_Name="*$" | ...
@richgalloway's very valid point aside... You should know that there are two ways of searching for a field not equal to a particular value in Splunk, and their semantics are slightly different:
AD_Server!=1 -> Means find all events that have a field named AD_Server with a value that is not equal to 1
NOT AD_Server=1 -> Means find all events that do not have a field named AD_Server with value equal to 1
It's very slight, but only the second form will find those events where the field ADServer is not defined... the first form it will only return events that have a field named ADServer. (which since you're only creating the field when you're assigning 1 to it, you want the second form)
You could indeed setup a second transform that would match only if the username does not contain a $... which likely would be a rather expensive regex, possibly involving backreferences... and you would have to run both the ADComputer and the NOT ADComputer regexes... Or you would just need to change your filter a bit, which might be the easier option.