Getting Data In

How to get Splunk know the Account name when the Local or Global Group changed in Windows server 2008?

New Member

Hi all,

I found a problem when I migrate Splunk from Windows server 2003 to Windows server 2008.

I created a alert for local or global groups changed.
It works well in Windows server 2003. But in Windows Server 2008, there is only Sid, no Account Name. Here is an example. If I add myslf into the administrator group. (I have changd some real information....) Thank you in advance!

In windows server 2003:

SourceName=Security
EventCode=636
Type=Success Audit

......

......

Message=Security Enabled Local Group Member Added:

Member Name: -

Member ID: AP\zyxcc

Target Account Name: Administrators

Target Domain: Builtin
Target Account ID: AP\Administrators

Caller User Name: zyxcc

Caller Domain: AP

......

But in windows server 2008, there has Sid, but no account name for the member's information:

SourceName=Microsoft Windows security auditing.
EventCode=4732

......

......

Keywords=Audit Success

Message=A member was added to a security-enabled local group.

Subject:

Security ID: S-1-5-21-981343549-14154652-165423545

Account Name: zyxcc

Account Domain: AP

Logon ID: 0x51ed123

Member:

Security ID: S-1-5-21-981343549-14154652-165423545

Account Name: -

Group:

Security ID: BUILT\Administrators

Group Name: Administrators

Group Domain: Built

......

0 Karma

SplunkTrust
SplunkTrust

check the event description 4732: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4732
the Account Name is extracted but if you dont use the windows TA you will have to use eval on the Account_Name field as it contains 2 values, 1 for the account who made the change and one for the member of the group.
when using the Windows TA, splunk extracts the fields src_user and user accordingly

0 Karma