Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs and auto filed extraction in a Multilanguage environment.

ndcl
Path Finder
‎06-27-2013 04:33 AM

Hi base,
When I index win logs the automated filed extraction works great. When I haven an environment with English, French and German Windows parts of the Events will be also localized. Here one example:

Category=14339

CategoryString=Kerberos-Authentifizierungsdienst

EventCode=4768

EventIdentifier=4768

EventType=4

Logfile=Security

RecordNumber=690090

SourceName=Microsoft-Windows-Security-Auditing

TimeGenerated=20130627093000.056463-000

TimeWritten=20130627093000.056463-000

Type=Überwachung erfolgreich

User=NULL

ComputerName=XXX.xx.xx

wmi_type=WinEventLog:Security

Message=Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.

Kontoinformationen:
Kontoname: ResAdmin
Angegebener Bereichsname: XXX
Benutzer-ID: S-1-5-21-1582781344-2085187069

Dienstinformationen:
Dienstname: krbtgt
Dienst-ID: S-1-5-21-1582781344-2085187069

Netzwerkinformationen:
Clientadresse: ::1
Clientport: 0

Weitere Informationen:
Ticketoptionen: 0x40810010
Ergebniscode: 0x0
Ticketverschlüsselungstyp: 0x17
Typ vor der Authentifizierung: 2

The Top of the Event seems to be Identical for every Language but at the bottom MS switch to local. This makes the creation of searches a little bit difficult. You have to use different Fieldnames for the same data for every localization. What is the best practice to get only English fieldnames?

Thanks

0 Karma
Reply

michael_sanchez
Path Finder
‎07-15-2013 01:31 PM

Check this post from Adrian Hall. He advices to use a lookup on all the objects where a translation is needed. The difficulty is to have a lookup file with all the fields translated into the target language. Maybe this file will be release soon by Splunk.

Reply

ndcl
Path Finder
‎07-16-2013 01:54 AM

First I though this will help, but this solution translate the value of the field not the field itself.
Thanks anyway...

0 Karma
Reply

FRoth
Contributor
‎06-27-2013 06:15 AM

Have you tried using regular expressions like that:

(?i)(?:Account Name|Kontoname):[\t]+(?P<account_name>[^\t]+)

You could set multiple indicator strings before the extraction by using (?:A|B).

0 Karma
Reply

FRoth
Contributor
‎06-27-2013 07:01 AM

I don't think so. That's mainly a Windows problem you're trying to solve. But there is a way to change the language by which the Windows source systems send their logs using the "wevtutil" utility if you are using Windows Eventlog Forwarding (perhaps by group policy) - it's "wecutil ss SUSCRIPTION_NAME /cf:RenderedText /l:en-US".
I don't know if there is perhaps a way to configure the forwarding to skip the XML rendering so that every incoming event is still raw XML and not yet rendered in a specific language.

0 Karma
Reply

ndcl
Path Finder
‎06-27-2013 06:43 AM

Yep, good approach but if I would do it like this it would look like this:

(?i)(?:AccountName|German|Frensh|Spain|Nederlands|Chineese…):[\t]+(?P[^\t]+)

Hard to handle and if I do not know which locals I have? The punctuation of the Events looking similar on every language, so maybe there is a way to “Overextract” the fieldnames…

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...