Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filtering WinEventLog:Security
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good day
I read a few answers on the WinEventLog:Security filtering but it does not cover the answers I'm looking for.
I need to filter out event codes but only the ones that contain an Account_Name: Local Service entry.
The regex that I'm using in transforms.conf on the Indexers does not work:
props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = eventnull
TRANSFORMS-wfevtlog = wfeventnull
transforms.conf
eventnull^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.*?\$$))
DEST_KEY=queue
FORMAT=nullQueue
[wfeventnull]
REGEX=(?m)^EventCode=(5152|5156|5157|5158)
DEST_KEY=queue
FORMAT=nullQueue
Here is an example of the event I'm try to filter out:
05/18/2014 10:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=A handle to an object was requested.
Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Object:
Object Server: Security
Object Type: File
Object Name: \Device\Udp6
Handle ID: 0xc930
Process Information:
Process ID: 0x1ac
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
Execute/Traverse
ReadAttributes
Access Reasons: -
Access Mask: 0x1200a0
Privileges Used for Access Check: -
Restricted SID Count: 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.
Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.
(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.
Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.
(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked perfectly. Thank you very much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Luke! I will test this and get back to you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))
should be:
REGEX=(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
