Hi All, I need to create a parsing logic that takes heading in the log as the name of the splunk field. Many of the windows log have multiple account ,domains,names etc and they all parse the same way.
Example :
index=windows sourcetype="WinEventLog:Security" EventCode=4728
04/10/2018 08:30:35 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4728
EventType=0
Type=Information
ComputerName=VMDC03.XXXXXXs.com
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=666661820
Keywords=Audit Success
Message=A member was added to a security-enabled global group.
Subject:
Security ID: XXXXX\TEST01
Account Name: TEST01
Account Domain: TEST
Logon ID: 0xB7D860D0
Member:
Security ID: XXXXXX\HXXX005
Account Name: CN=Legaspi\, Lucy,OU=Disabled Users,DC=XXXXXXs,DC=com
Group:
Security ID: XXXXXX\OutlookCachedModeUsers
Group Name: OutlookCachedModeUsers
Group Domain: XXXXXX
Additional Information:
Privileges:
The resulting logs have a "Group", "Subject" and "Member" that all have a "Security ID" field in them. These need to be parsed individually as Group_Security_ID, Subject_Security_ID, and Member_Security_ID. This should be done for each sub-field.
Kindly guide me how to do this.
thanks in advance.
You can create a field extraction using regex:
Subject:\n\s*Security\sID:\s*(?<Subject_Security_ID>\S*)[\n\s\S]*Member:\n\s*Security\sID:\s*(?<Member_Security_ID>\S*)[\n\s\S]*Group:\n\s*Security\sID:\s*(?<Group_Security_ID>\S*)
This will give you three fields:
Subject_Security_ID=XXXXX\TEST01
Member_Security_ID=XXXXXX\HXXX005
Group_Security_ID=XXXXXX\OutlookCachedModeUsers
Yes, of course you can.
But If somehow the log format will change or you will enable new security audits with new event types, then you should rewrite all of your custom field extraction rules.
I think it is bad to maintain manual field extractions for such type of log.
Hey I gave what he asked for 🙂
Same problem. It's very confusing to see such way to parse wineventlogs.
We bypassing this issue with mvexpand hack.
Hi. I'm not sure if you can make this at index time, but can you create a script to treat logs before index them?
Hey can anyone throw some lights on this.
Hi All,
Can anyone guide me on this..