Getting Data In

Windows Security Log Formatting

Engager

I'm looking to create a view of the number of user accounts that have been created in the domain in the past 24 hours. Here is my query, and my timeframe is last 24hrs.

sourcetype="WinEventLog:Security" AND EventCode=4720

The view that comes back is very abbreviated, I have to click show all 50 lines to get at the info I need. What I would like to see is the date, time, server, the user who created the account, and the created account name. This is trivial for me to do in powershell, but I'd like to have a nice dashboard that shows this for more users than just myself.

0 Karma

Communicator
sourcetype="WinEventLog:Security" AND EventCode=4720 | eval AccountCreator=mvindex(Account_Name,0) | eval AccountCreated=mvindex(Account_Name,1)| table _time, host, AccountCreator, AccountCreated

The mvindex command will pull the values out for you into a new field name you create.

Explorer

this was driving me crazy. thanks!

Communicator

Your question gave me the excuse to actually reprogram one of my dashes to correctly view authentications on a windows NPS server.

0 Karma

Engager

That is pretty awesome thanks! I also spoke with Darryl Burns from Splunk and his solution was to pipe the query through xmlkv, this maps out the underlying XML from Windows so Splunk can see those sub fields.

sourcetype="WinEventLog:Security" AND EventCode=4720| xmlkv

But I really like how you laid that out in table format!

0 Karma

Engager

Here is where I went.
http://regexhero.net/tester/

0 Karma

Engager

So I went to an online regex checker, pasted in the contents of the event, and just typed in SAM Account Name: as the search, and that worked.

0 Karma

Engager

Account Name is, but with this particular event there are multiples of that, the first one is the account name used to create the second account name 😉 so, I would like pull in SAM Account Name, that doesn't appear to be a thing.

0 Karma

Legend

Right. You might need to learn some regex-fu in order to be able to tell Splunk how to recognize your fields properly. For Windows event logs though, there's a bunch of extractions already in there that should be applied. Such as Account_Name for instance.

0 Karma

Engager

I think what I want is to do field extraction, and ideally I would like to extract SAM Account Name, but when I do that in the field extraction page, it tells me that, "No regex could be learned. Try providing different examples or restriction"

0 Karma

Engager

That sounds right, but when I try to do that, it doesn't work, or more likely I don't know what I'm doing wrong. How would I do that?

0 Karma

Legend

You can grab whatever fields you want to see and create a table of that. Is that what you want?

0 Karma

Engager

Sorry it's been so long since I've gotten back to this, but here is an example of what this event looks like.

http://social.technet.microsoft.com/wiki/contents/articles/17055.event-ids-when-a-new-user-account-i...

4720 is the first example and you can see how it looks, when I click show the next 50 lines, basically that is what I see. I'm trying to extract just the pertinent information that I specified in the original post.

Thanks,

0 Karma

Ultra Champion

That's weird. Normally Windows events are extracted nicely. Is it not extracted at all or is it a multivalued field (i.e. there are two fields in _raw that are called "Account Name" or something similar)?

Please update your original question with a sample event. mask ip-addresses, hostnames etc as needed.

0 Karma

Engager

correct. its also not formatted terribly well either...sigh

0 Karma

Ultra Champion

Sorry, I don't use eventviewer much. Do you mean that the information you want is not being extracted into fields?

0 Karma

Engager

I get that, but I think the disconnect is that field1-3 only appear to live in the _raw data of the event. If you open up an event in the eventviewer, this is the data contained in the window that describes the event, such as a new user was created...does that make sense?

0 Karma

Ultra Champion

you are aware of the table search command?

sourcetype=WinEventLog:Security EventCode=4720 | table _time host field1 field2 field3

The AND is implicated, and not needed in the search.

/K

0 Karma