Getting Data In
Highlighted

WIndows Event Line Break

Path Finder

Have the following defined in my inputs.conf

[WinEventLog:Security]
disabled=0
startfrom = oldest
current
only = 0
evtresolvead_obj = 1
checkpointInterval = 5

Have the following defined in my props.conf

[default]

BREAKONLYBEFORE_DATE = True

Log File
01/18/2013 11:45:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4634
EventType=0
Type=Information
ComputerName=XXXX
TaskCategory=Logoff
OpCode=Info

-----Line Break is Occurring Here -----

RecordNumber=1173295928
Keywords=Audit Success
Message=An account was logged off.
Subject:
Security ID: XXX
Account Name: XXX
Account Domain: XXX
Logon ID: XXX
Logon Type: 3
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Should be only breaking on the date however from above, its breaking at the Record number. This is happening on only 2 of my DC's, Splunk from what I can see is configured the same way on all 5 of my DC's. Anyone have any ideas on what this could be??

Thanks!

Michael

0 Karma
Highlighted

Re: WIndows Event Line Break

Builder

It appears that Splunk sees the value of the RecordNumber and equates that to epoch time. Does the second half of the event gets timestamped Wed, 07 Mar 2007 19:32:08 GMT?

What might help is to define the TIME_FORMAT and possibly utilize the BREAK_ONLY_BEFORE in the props.conf for that sourcetype. Something like this might work:

props.conf on indexing server

[WinEventLog:Security]
TIME_FORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK_ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

If this answer resolves your issue, please mark it as the accepted answer. Thanks.

View solution in original post

Highlighted

Re: WIndows Event Line Break

Path Finder

no it appears to be timestamped the same as the top half

0 Karma
Highlighted

Re: WIndows Event Line Break

Builder

I would still try the BREAKONLYBEFORE to see if that resolves the issue. You don't have to try the TIMEFORMAT if the BREAKONLY_BEFORE resolves it.

0 Karma
Highlighted

Re: WIndows Event Line Break

Path Finder

no go on either in the props.conf. Still showing the line break as indicated above.

0 Karma
Highlighted

Re: WIndows Event Line Break

Builder

Is it possible to include a sanitized props.conf?

0 Karma
Highlighted

Re: WIndows Event Line Break

Path Finder

The only thing I have in my props.conf (etc/system/local ) file is what was given above.

[default]

[WinEventLog:Security]
TIMEFORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK
ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

We are defining most of our regex extractions in the default search app. None of which are defined for windows, we have been using the default auto extractions for windows based logging and any search time regex when needed.

0 Karma
Highlighted

Re: WIndows Event Line Break

Builder

The TIMEFORMAT might not be needed. Also, I see some issues with the regex on the BREAKONLY_BEFORE. It might be due to formatting when you pasted into the comment. Please verify that the regex is exactly what I submitted earlier in the ticket.

Also, please be sure that this goes into the props.conf on the indexing server. Do you run a distributed Splunk environment, or single server instance?

0 Karma
Highlighted

Re: WIndows Event Line Break

Path Finder

ok I added the stanza and BREAKONLYBEFORE to our paired indexing servers

[WinEventLog:Security]
TIMEFORMAT = %m\/%d\/%Y %H:%M:%S %p
BREAK
ONLY_BEFORE = \d+\/\d+\/\d+\s+\d+:\d+:\d+\s+(AM|PM)

Still the same issue, it only happens on 2 of the 5 DC's we have...strange.

0 Karma
Highlighted

Re: WIndows Event Line Break

Path Finder

ok this is now working!!! Thank you so much for your time and effort on this!!

I didnt realize there was a custom sourcetype on our indexers for the windows security logs. Once I updated the sourcetype with the BREAKONLYBEFORE statement, it works!!