Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Windows Event Logs and auto filed extraction in a Multilanguage environment.

ndcl
Path Finder
‎06-27-2013 04:33 AM

Hi base,
When I index win logs the automated filed extraction works great. When I haven an environment with English, French and German Windows parts of the Events will be also localized. Here one example:

Category=14339

CategoryString=Kerberos-Authentifizierungsdienst

EventCode=4768

EventIdentifier=4768

EventType=4

Logfile=Security

RecordNumber=690090

SourceName=Microsoft-Windows-Security-Auditing

TimeGenerated=20130627093000.056463-000

TimeWritten=20130627093000.056463-000

Type=Überwachung erfolgreich

User=NULL

ComputerName=XXX.xx.xx

wmi_type=WinEventLog:Security

Message=Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.

Kontoinformationen:
Kontoname: ResAdmin
Angegebener Bereichsname: XXX
Benutzer-ID: S-1-5-21-1582781344-2085187069

Dienstinformationen:
Dienstname: krbtgt
Dienst-ID: S-1-5-21-1582781344-2085187069

Netzwerkinformationen:
Clientadresse: ::1
Clientport: 0

Weitere Informationen:
Ticketoptionen: 0x40810010
Ergebniscode: 0x0
Ticketverschlüsselungstyp: 0x17
Typ vor der Authentifizierung: 2

The Top of the Event seems to be Identical for every Language but at the bottom MS switch to local. This makes the creation of searches a little bit difficult. You have to use different Fieldnames for the same data for every localization. What is the best practice to get only English fieldnames?

Thanks

0 Karma
Reply

michael_sanchez
Path Finder
‎07-15-2013 01:31 PM

Check this post from Adrian Hall. He advices to use a lookup on all the objects where a translation is needed. The difficulty is to have a lookup file with all the fields translated into the target language. Maybe this file will be release soon by Splunk.

Reply

ndcl
Path Finder
‎07-16-2013 01:54 AM

First I though this will help, but this solution translate the value of the field not the field itself.
Thanks anyway...

0 Karma
Reply

FRoth
Contributor
‎06-27-2013 06:15 AM

Have you tried using regular expressions like that:

(?i)(?:Account Name|Kontoname):[\t]+(?P<account_name>[^\t]+)

You could set multiple indicator strings before the extraction by using (?:A|B).

0 Karma
Reply

FRoth
Contributor
‎06-27-2013 07:01 AM

I don't think so. That's mainly a Windows problem you're trying to solve. But there is a way to change the language by which the Windows source systems send their logs using the "wevtutil" utility if you are using Windows Eventlog Forwarding (perhaps by group policy) - it's "wecutil ss SUSCRIPTION_NAME /cf:RenderedText /l:en-US".
I don't know if there is perhaps a way to configure the forwarding to skip the XML rendering so that every incoming event is still raw XML and not yet rendered in a specific language.

0 Karma
Reply

ndcl
Path Finder
‎06-27-2013 06:43 AM

Yep, good approach but if I would do it like this it would look like this:

(?i)(?:AccountName|German|Frensh|Spain|Nederlands|Chineese…):[\t]+(?P[^\t]+)

Hard to handle and if I do not know which locals I have? The punctuation of the Events looking similar on every language, so maybe there is a way to “Overextract” the fieldnames…

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...