Getting Data In

Windows Events Message field

be910j
Path Finder

Greetings,
We've been having an issue extracting a few fields in the following event specifically. This windows Event has the Message field containing the desired fields, the values for those desired fields however are carriage returned and evade the built in extraction tools as well as erex.

Full Event as it exists raw:

11/01/2013 02:23:15 PM
LogName=Directory Service
SourceName=Microsoft-Windows-ActiveDirectory_DomainService
EventCode=2889
EventType=4
Type=Information
ComputerName=*******
User=*****
Sid=***
SidType=*
TaskCategory=LDAP Interface
OpCode=None
RecordNumber=******
Keywords=Classic
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.

Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username

The particular values we wish to extract:

Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username


The built in utilities actually skip the 2 fields and only display the data up to the first carriage return between the message statement and Client IP address:, this may be why it also breaks erex, as the built in extractor just does not even see the data to attempt to learn the extraction.

Additionally, we have tried a few props transforms that I've seen floating around here, to aid in extracting values out of the Windows Message field, but those seem to have no change either on these 2 data fields with the carriage return.

Thanks!
Brandon


Added for luke below :
Sure thing, here it is right off that raw search, with various items redacted to make our security guy happy.

11/14/2013 11:35:11 AM LogName=Directory Service SourceName=Microsoft-Windows-ActiveDirectory_DomainService EventCode=2889 EventType=4 Type=Information ComputerName#### User=#### Sid#### SidType=5 TaskCategory=LDAP Interface OpCode=None RecordNumber=1681746 Keywords=Classic Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: ####:#### Identity the client attempted to authenticate as: #### \ ####

Tags (1)
0 Karma
1 Solution

lukejadamec
Super Champion

Try this:

EventCode=2889 |rex field=_raw ".*Client\sIP\saddress:\s+(?<ClientIPAddressPort>.*)\r\n" | rex field=_raw ".*authenticate\sas:\s+(?<DomainUsername>.*)\r\n" 

View solution in original post

landen99
Motivator

"Windows events message field extraction" is a much better title. I thought you were going to discuss the meanings of the fields themselves with your current title "Windows events message field"

0 Karma

lukejadamec
Super Champion

Try this:

EventCode=2889 |rex field=_raw ".*Client\sIP\saddress:\s+(?<ClientIPAddressPort>.*)\r\n" | rex field=_raw ".*authenticate\sas:\s+(?<DomainUsername>.*)\r\n" 

buskeyl
New Member

I know this is a really old post, but this is exactly what I think I need to do.  I am too much of a noob to follow this.  Are you still out there?

Specifically, I want to search for Windows Security 4776 sucess events, deduplicate the list based on the value in the "Logon Account:  UserX" string within the events message field.  SO I think I need to extract the "Logon Event: UserX" sting so the filed is Logon Account: and the Dedup is applied to the value of that field    

0 Karma

be910j
Path Finder

Figured it out, it was just the trailing \r \n on the last extract, removed those and it works like a charm, has both fields completely extracted!
Thanks luke!
Brandon

lukejadamec
Super Champion

That should be working. \s stands for space. + means one or more.

0 Karma

be910j
Path Finder

Sweet, that got the IP:port working, the Domain\username still isn't showing up though. Just realized my raw snipet above removed the \ on that, so its attempted to authenticate as: space DOMAIN\username

0 Karma

lukejadamec
Super Champion

Carriage returns don't affect the automatic extraction for any of my Windows Message fields, but I can't test this specific event. Can you post the _raw data for one such event?
EventCode=2889 | dedup EventCode | table _raw

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...