- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Windows Events Message field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
We've been having an issue extracting a few fields in the following event specifically. This windows Event has the Message field containing the desired fields, the values for those desired fields however are carriage returned and evade the built in extraction tools as well as erex.
Full Event as it exists raw:
11/01/2013 02:23:15 PM
LogName=Directory Service
SourceName=Microsoft-Windows-ActiveDirectory_DomainService
EventCode=2889
EventType=4
Type=Information
ComputerName=*******
User=*****
Sid=***
SidType=*
TaskCategory=LDAP Interface
OpCode=None
RecordNumber=******
Keywords=Classic
Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection.
Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username
The particular values we wish to extract:
Client IP address:
IPADDRESS:PORT
Identity the client attempted to authenticate as:
Domain\Username
The built in utilities actually skip the 2 fields and only display the data up to the first carriage return between the message statement and Client IP address:, this may be why it also breaks erex, as the built in extractor just does not even see the data to attempt to learn the extraction.
Additionally, we have tried a few props transforms that I've seen floating around here, to aid in extracting values out of the Windows Message field, but those seem to have no change either on these 2 data fields with the carriage return.
Thanks!
Brandon
Added for luke below :
Sure thing, here it is right off that raw search, with various items redacted to make our security guy happy.
11/14/2013 11:35:11 AM LogName=Directory Service SourceName=Microsoft-Windows-ActiveDirectory_DomainService EventCode=2889 EventType=4 Type=Information ComputerName#### User=#### Sid#### SidType=5 TaskCategory=LDAP Interface OpCode=None RecordNumber=1681746 Keywords=Classic Message=The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection. Client IP address: ####:#### Identity the client attempted to authenticate as: #### \ ####
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
EventCode=2889 |rex field=_raw ".*Client\sIP\saddress:\s+(?<ClientIPAddressPort>.*)\r\n" | rex field=_raw ".*authenticate\sas:\s+(?<DomainUsername>.*)\r\n"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Windows events message field extraction" is a much better title. I thought you were going to discuss the meanings of the fields themselves with your current title "Windows events message field"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
EventCode=2889 |rex field=_raw ".*Client\sIP\saddress:\s+(?<ClientIPAddressPort>.*)\r\n" | rex field=_raw ".*authenticate\sas:\s+(?<DomainUsername>.*)\r\n"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is a really old post, but this is exactly what I think I need to do. I am too much of a noob to follow this. Are you still out there?
Specifically, I want to search for Windows Security 4776 sucess events, deduplicate the list based on the value in the "Logon Account: UserX" string within the events message field. SO I think I need to extract the "Logon Event: UserX" sting so the filed is Logon Account: and the Dedup is applied to the value of that field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out, it was just the trailing \r \n on the last extract, removed those and it works like a charm, has both fields completely extracted!
Thanks luke!
Brandon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That should be working. \s stands for space. + means one or more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sweet, that got the IP:port working, the Domain\username still isn't showing up though. Just realized my raw snipet above removed the \ on that, so its attempted to authenticate as: space DOMAIN\username
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Carriage returns don't affect the automatic extraction for any of my Windows Message fields, but I can't test this specific event. Can you post the _raw data for one such event?
EventCode=2889 | dedup EventCode | table _raw
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
