Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk_TA_Windows 8.2.0 - User DN incorrect extraction

pizzor
Path Finder
‎12-09-2021 11:28 AM

Edit: After working with Splunk support, this issue is fixed in TA version 8.5.0.

 

I recently upgraded our Windows TA from 8.0.0 to 8.2.0. I've noticed that with the Event IDs relating to users being removed or added to groups (4728, 4729, 4732) the user removed or added is logged by Windows with their full DN. Splunk before the upgrade was pulling the full DN and extracting it into the user field. Now it seems to not be doing the same. Our DNs contain "Lastname, Firstname" with the log having that first comma escaped.

 

 

 

12/09/2021 00:00:00 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4732
EventType=0
Type=Information
ComputerName=domaincontroller
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1111111111
Keywords=Audit Success
Message=A member was added to a security-enabled local group.

Subject:
	Security ID:		CONTOSO\user_admin
	Account Name:		user_admin
	Account Domain:		CONTOSO
	Logon ID:		0xD5D5D5DA

Member:
	Security ID:		CONTOSO\FLastname
	Account Name:		CN=Lastname\, Firstname,OU=Users,DC=CONTOSO,DC=com

Group:
	Security ID:		CONTOSO\Group_RW
	Group Name:		Group_RW
	Group Domain:		CONTOSO

 

 

 

 

This is extracted correctly into the Account_Name field, though both the Subject and Member users are placed into Account_Name as an mv field. For some reason, when this same value is extracted into user, it gets extracted only as "Lastname\"

 

I've done a diff on the default\props and transforms and didn't see any changes to the extractions of this field that I can find, and I had no customization here. I'm at a bit of a loss as to why this would even change. We are using the WinEventLog:Security sourcetype as well. Other extractions seem to be working as intended.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...