Knowledge Management
Highlighted

How can I tag Windows system accounts?

New Member

I want to be able to tag Windows system accounts, but it doesn't seem to be working correctly in 5.0 and 5.0.1, installed on Linux. I have Windows machines with Splunk forwarders on them, and they are recording events that have the following users:

  • ANONYMOUS LOGON
  • LOCAL SERVICE
  • NETWORK SERVICE
  • MYCOMPUTERNAME$

I can create tags for them, but because they have spaces and dollar signs in their name, they show on the Tags Manager pages with the URI-encoded equivalent, so that spaces become %20 and the dollar sign is %24. When I try to modify the key/value pair or change its permissions from, for example, "List by field value pair" page, I get a 404 with the message:

  • Splunk cannot find "saved/fvtags/user=ANONYMOUS%20LOGON".
Tags (1)
0 Karma
Highlighted

Re: How can I tag Windows system accounts?

Builder

Not tested - but Splunk usually likes field names with spaces in them to be represented within a set of quotes? "ANON LOGON".
Edit - you have seen ANONYMOUS LOGON in a log coming through? I ask because the standard convention for Windows is ANONYMOUS on its own. Logon is a separate field?

0 Karma
Highlighted

Re: How can I tag Windows system accounts?

New Member

Well, that's fine, but I created the tags via the pull-down on the "user" selected field. However, I did manually add them with quotes, as you suggest, via the Tags Manager, but they don't seem to get tagged in results.

0 Karma
Highlighted

Re: How can I tag Windows system accounts?

Builder

Tags names don't have quotes, nor spaces. If you really want the tag name to be similar to that it then use ANONYMOUS_LOGON as its name.Field Pair value would be user="ANONYMOUS" etc?

0 Karma
Highlighted

Re: How can I tag Windows system accounts?

Builder

Try this (sorry - a bit slow tonight). Create a new tag with name of ANON_LOGON, add field value pair of user="ANONYMOUS" and another value of action="login attempt".
If that fails, try running the search manually. My test was: user="admin" action="login attempt" | top user host source sourcetype | fields - percent
But I was using "admin" because I know I have those and no anons in the indexes.
You may also need to create more values for user="anonymous" OR user="ANONYMOUS"

0 Karma
Highlighted

Re: How can I tag Windows system accounts?

New Member

No, I don't want the above to be tag names, those are the usernames that Windows uses. Search on user="NETWORK SERVICE" if you have a Windows client. I have several coming from the Security Eventlog. Make user a selected field, pull down "Tag user=NETWORK SERVICE", put in "foo" for tag name, then go to Manager » Tags » List by field value pair then select user=NETWORK%20SERVICE and you will get a 404.

0 Karma
Highlighted

Re: How can I tag Windows system accounts?

Builder

ja_s...I understand re security eventlog. I ran it (on 4.3) and did not have any errors. My v5 lab is down at the mo'...will try there. tag::user="foo" at search line worked as well.

0 Karma