Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering WinEventLog:Security

denisevw
Path Finder
‎05-19-2014 01:02 PM

Good day

I read a few answers on the WinEventLog:Security filtering but it does not cover the answers I'm looking for.

I need to filter out event codes but only the ones that contain an Account_Name: Local Service entry.

The regex that I'm using in transforms.conf on the Indexers does not work:

props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = eventnull
TRANSFORMS-wfevtlog = wfeventnull

transforms.conf
eventnull^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.*?\$$))
DEST_KEY=queue
FORMAT=nullQueue

[wfeventnull]
REGEX=(?m)^EventCode=(5152|5156|5157|5158)
DEST_KEY=queue
FORMAT=nullQueue

Here is an example of the event I'm try to filter out:
05/18/2014 10:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Object:
Object Server: Security
Object Type: File
Object Name: \Device\Udp6
Handle ID: 0xc930

Process Information:
Process ID: 0x1ac
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
Execute/Traverse
ReadAttributes
Access Reasons: -
Access Mask: 0x1200a0
Privileges Used for Access Check: -
Restricted SID Count: 0

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎05-19-2014 01:28 PM

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

View solution in original post

Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎05-19-2014 01:28 PM

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-20-2014 03:14 AM

This worked perfectly. Thank you very much!

0 Karma
Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-20-2014 01:29 AM

Thanks Luke! I will test this and get back to you.

0 Karma
Reply
Solved! Jump to solution

denisevw
Path Finder
‎05-19-2014 01:20 PM

(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))
should be:
REGEX=(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...