I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;
11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.
Subject:
Security ID: S-1-5-18
Account Name: SERVERNAME$ <-- 1st occurrence
Account Domain: DOMAIN
Logon ID: 0x3e7
Logon Type: 8
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: username <-- 2nd occurrence
Account Domain: domain.name
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x1a40
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: SERVERNAME
Source Network Address: 11.22.33.44
Source Port: 2453
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
<snip>
I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...
...but hear me out. It's not behaving as expected.
So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar
Here's the problem, this results in;
SERVERNAME$ <blank>
I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.
So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.
Can someone point me in the right direction? Thanks in advance.
Running 4.1.5 Linux x86_64
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name
How are you extracting the Account_Name field(s)?
What does this return?
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND
EventCode<="549") hoursago="4"
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account
An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND
EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account
An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND
EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account
How do I combine this with the "User_Name" field from the Windows 2003 "529" events? I want to create a top 10 count by the UserName + Account_Name
your query is working now. edit to remove the stray in EventCo
de<="537"
I've forgot to add the multiline and dot-all flag to the regex. I've edited the search expression above.
wanted_account in the Results Table returns blank for this query.
Account_Name in the Events Table/View shows the 1st occurrence which typically is "-" or SERVERNAME$
I am correct in my understanding that the Events view/table, you can not display custom/new variables? Those will only display in the Results view/table?
When you show Account_Name as an enabled field in the Event Viewer, do you get multiple occurrences of Account_Name or just 1 occurrence with the value being the 1st extraction (SERVERNAME$)?
How are you extracting the Account_Name field(s)?
What does this return?
source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND
EventCode<="549") hoursago="4"
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)"
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account
thank you bwooden! your rex helped.
added results of your query to the original post. sure wish there was a code tag function in comments. thanks for your help so far.