Getting Data In
Highlighted

How to filter off winevent code to capture only failure audit status?

Contributor

Hi,

How can I filter out "type=Success Audit" logs off a windows event and log only the failure logs?

Currently I have this in transform.conf:
[setnull]
REGEX = (?m)^EventCode = 673
DEST_KEY = queue
FORMAT = nullQueue

It is filtering off all of 673 but now I will like to capture the failure logs of 673 but not the success logs.

Am just wondering if something like this can be done?
REGEX = (?m)^(EventCode = 673)(type = "Success Audit")

Thanks

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Super Champion

I think something like this will work for you:

REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+Type=Success Audit[\r\n]

I would recommend reading up on regex syntax here:


On second glance, I'm not sure that your given example stanza should work the way you want it too. If you have a regex that's matching EventCode=673, then only those events would be sent to the null queue and everything else would be indexed as normal. So you really need a regex that matches everything but event code 673. Then to meet your full requirements (filtering out the success messages), you would want a regex that filters out everything but failure 673 events. Another approach is to use two transformers, the first one routes all events to the nullQueue, and the second only matches your 673 failure messages and then sets the queue to indexQueue

You may find some more helpful examples on how to do this here:

View solution in original post

Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Super Champion

Do your WinEventLogs contain spaces between the keys and values. For example, do you see "EventCode = 673", or "EventCode=673"?

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Contributor

I see Eventcode=673 without spaces.

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Contributor

Hi,

If two transformers are used, the first one routes all events to nullQueue, which we will not be able to capture any other events then??

Your REGEX seems to be working fine and thanks for the link.

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Contributor

I got it mistaken.It doesn't seem to be working.. Using the REGEX I've tried to filter off based on User instead:
REGEX = [\r\n]+EventCode=673[\r\n]+.*?[\r\n]+User=SYSTEM[\r\n]
But it doesn't work.

Here is a sample of Windows event:
08/05/10 05:39:03 PM
LogName=Security
SourceName=Security
EventCode=673
EventType=8
Type=Success Audit
ComputerName=ServerA
User=SYSTEM
..
..
..
CategoryString=Account Logon
..
Message=Service Ticket Request:

User Name:      ServerA.com

User Domain:        ServerA.com

Service Name:       ServerA$

..  
    ..  

Failure Code:       -  

...  

Transited Services: -
0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Explorer

I did it like that:

[wminull]
REGEX = (?msi)^(EventCode=697|Type=Audit Success)
DEST_KEY = queue
FORMAT = nullQueue

So it simply filters EventCode=697 OR Type=Audit Success to the null queue

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Builder

I had to set something up like this. They wanted a list of the top 20 failed login by userid.

I set the following up as an event type: index="prod_dc_event_logs" sourcetype="security" Type="Failure Audit" EventCode="538" OR EventCode="540" OR EventCode="680"

Then I set the following search up: eventtype="WINTEL_FailedLogin" | chart count by Logon_account | sort 20 - count

Brian

0 Karma
Highlighted

Re: How to filter off winevent code to capture only failure audit status?

Contributor

Hi,

Thanks for the suggestions.
This is working for us by capturing eventcode 578 AND Type=Audit Success :
REGEX = (?msi)^EventCode=578.*^(Type=Audit Success)

View solution in original post

0 Karma