Splunk Search

Filtering WinEventLog:Security

denisevw
Path Finder

Good day

I read a few answers on the WinEventLog:Security filtering but it does not cover the answers I'm looking for.

I need to filter out event codes but only the ones that contain an Account_Name: Local Service entry.

The regex that I'm using in transforms.conf on the Indexers does not work:

props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = eventnull
TRANSFORMS-wfevtlog = wfeventnull

transforms.conf
eventnull^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.*?\$$))
DEST_KEY=queue
FORMAT=nullQueue

[wfeventnull]
REGEX=(?m)^EventCode=(5152|5156|5157|5158)
DEST_KEY=queue
FORMAT=nullQueue

Here is an example of the event I'm try to filter out:
05/18/2014 10:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Object:
Object Server: Security
Object Type: File
Object Name: \Device\Udp6
Handle ID: 0xc930

Process Information:
Process ID: 0x1ac
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
Execute/Traverse
ReadAttributes
Access Reasons: -
Access Mask: 0x1200a0
Privileges Used for Access Check: -
Restricted SID Count: 0

0 Karma
1 Solution

lukejadamec
Super Champion

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

View solution in original post

lukejadamec
Super Champion

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

denisevw
Path Finder

This worked perfectly. Thank you very much!

0 Karma

denisevw
Path Finder

Thanks Luke! I will test this and get back to you.

0 Karma

denisevw
Path Finder

(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))
should be:
REGEX=(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.
?\$$))

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...