Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter Windows Events from one host using Regex?

kiran331
Builder
‎08-23-2017 02:05 PM

Hi,

How to filter out the events with EventCodes (4624, 4672, 4634) and Account _svc_abd with Security Id "S-1-5-21-34345566-23432455-2001"?

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=abc.ttt.com
TaskCategory=Logon
OpCode=Info
RecordNumber=3434545
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name:
Account Domain:
Logon ID:

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-34345566-23432455-2001
Account Name: _svc_abd
Account Domain: ttt
Logon ID: 0x4E41454
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:
Process Name:
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services:
Package Name (NTLM only): NTLM V2
Key Length: 0

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-24-2017 01:30 AM

Hi kiran331,
if you want to search out events with your conditions at search time, you have to use the rex command with the following regex

| rex "(?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd"

If instead you want to filter events before indexing (see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ) you have to insert in
props.conf

[WinEventLogs:Security]
TRANSFORMS-set= setparsing,setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 08:36 AM

Thanks Giuseppe, but unfortunately its not working, I also tried rex in search, its same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 10:02 AM

Sorry there were two errors!
try with

(?ms).*EventCode\=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd

you can test it at https://regex101.com/r/03QkUy/1
Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 10:26 AM

Giuseppe,

I'm getting this error

Error in 'rex' command: The regex '(?ms).*EventCode=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 11:00 AM

This regex is a filter to use in regex Command or in trnsforms.conf, not in rex command.
Rex command is used to extract fields.
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...