Splunk Search

Filtering WinEventLog:Security

Path Finder

Good day

I read a few answers on the WinEventLog:Security filtering but it does not cover the answers I'm looking for.

I need to filter out event codes but only the ones that contain an Account_Name: Local Service entry.

The regex that I'm using in transforms.conf on the Indexers does not work:

props.conf
[WinEventLog:Security]
TRANSFORMS-evtlog = eventnull
TRANSFORMS-wfevtlog = wfeventnull

transforms.conf
eventnull^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.*?\$$))
DEST_KEY=queue
FORMAT=nullQueue

[wfeventnull]
REGEX=(?m)^EventCode=(5152|5156|5157|5158)
DEST_KEY=queue
FORMAT=nullQueue

Here is an example of the event I'm try to filter out:
05/18/2014 10:11:31 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4656
EventType=0
Type=Information
ComputerName=server.domain.local
TaskCategory=File System
OpCode=Info
RecordNumber=123456789
Keywords=Audit Success
Message=A handle to an object was requested.

Subject:
Security ID: NT AUTHORITY\LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5

Object:
Object Server: Security
Object Type: File
Object Name: \Device\Udp6
Handle ID: 0xc930

Process Information:
Process ID: 0x1ac
Process Name: C:\Windows\System32\svchost.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
Execute/Traverse
ReadAttributes
Access Reasons: -
Access Mask: 0x1200a0
Privileges Used for Access Check: -
Restricted SID Count: 0

0 Karma
1 Solution

Super Champion

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

View solution in original post

Super Champion

I've seen similar things with Account name extractions... Believe it or not, Account Name is not the start of a line, so you need to remove the ^.

Test the regex in the search bar, and if you want to see the structure look a the event punctuation I think.

(?m)^EventCode=(560|562|4656|4658|4663)[sS]+?AccountsName:s+(?:(?:LOCALsSERVICE)|(?:.*?$$))

View solution in original post

Path Finder

This worked perfectly. Thank you very much!

0 Karma

Path Finder

Thanks Luke! I will test this and get back to you.

0 Karma

Path Finder

(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.?\$$))
should be:
REGEX=(?m)^EventCode=(560|562|4656|4658|4663)[\s\S]+?^Account\sName:\s+(?:(?:LOCAL\sSERVICE)|(?:.
?\$$))

0 Karma