- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Field extrations from XmlWinEventLog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field extrations from XmlWinEventLog
Hi,
I've been trying to find a good solution to extract fields from some XML windows event logs.
For instance sourcetype="xmlwineventlog:microsoft-windows-base-filtering-engine-connections/operational"
A record from this might look like this:
<?xml version="1.0"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Base-Filtering-Engine-Connections" Guid="{guid removed}"/>
<EventID>2001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-11T08:31:38.735136100Z"/>
<EventRecordID>1173869</EventRecordID>
<Correlation/>
<Execution ProcessID="1152" ThreadID="9924"/>
<Channel>Microsoft-Windows-Base-Filtering-Engine-Connections/Operational</Channel>
<Computer>hostname.removed</Computer>
<Security UserID="removed"/>
</System>
<EventData>
<Data Name="ConnectionId">13138485797994339311</Data>
<Data Name="MachineAuthenticationMethod">4</Data>
<Data Name="RemoteMachineAccount">remote, machine, account, removed</Data>
<Data Name="UserAuthenticationMethod">5</Data>
<Data Name="RemoteUserAcount">domain\user</Data>
<Data Name="RemoteIPAddress">IPv6addr removed</Data>
<Data Name="LocalIPAddress">local IPv6addr removed</Data>
<Data Name="TechnologyProviderKey">{1BEBC969-61A5-4732-A177-847A0817862A}</Data>
<Data Name="IPsecTrafficMode">1</Data>
<Data Name="BytesTransferredInbound">10128</Data>
<Data Name="BytesTransferredOutbound">10528</Data>
<Data Name="BytesTransferredTotal">20656</Data>
<Data Name="StartTime">2017-05-11T08:30:03.155Z</Data>
<Data Name="CloseTime">2017-05-11T08:31:38.724Z</Data>
</EventData>
</Event>
In this case it is the <Data name="whatever">blah>/Data> fields that are most interesting to extract.
I've tried KV_MODE=xml, but that does not parse anything, neither does xmlkv, which perhaps isn't a surprise.
So any suggestions on the easiest way to parse this? I'd prefer not to have to manually define the fields, since there are several different sourcetypes I need to do this for.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you find any solution to this? I'm using the TA for Windows, which collects XmlWinEventLog with renderXml=true and does a lot of report stuff in props.conf, but still there are no field extractions on the searh head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might try renderXml=true in your inputs.conf file beneath the stanza for that sourcetype, under the app you're working with.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to mention that .
I have renderXML=true in the inputs. So I get the XML data, just looking for the best way to extract all the fields automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, the Splunk Add on for Windows contains field extractions for Windows-based XML logs in both the props and transforms. Are you using this app? https://splunkbase.splunk.com/app/742/
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
