Hi,
How to filter out the events with EventCodes (4624, 4672, 4634) and Account _svc_abd with Security Id "S-1-5-21-34345566-23432455-2001"?
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=abc.ttt.com
TaskCategory=Logon
OpCode=Info
RecordNumber=3434545
Keywords=Audit Success
Message=An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name:
Account Domain:
Logon ID:
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-34345566-23432455-2001
Account Name: _svc_abd
Account Domain: ttt
Logon ID: 0x4E41454
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID:
Process Name:
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services:
Package Name (NTLM only): NTLM V2
Key Length: 0
Hi kiran331,
if you want to search out events with your conditions at search time, you have to use the rex command with the following regex
| rex "(?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd"
If instead you want to filter events before indexing (see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ) you have to insert in
props.conf
[WinEventLogs:Security]
TRANSFORMS-set= setparsing,setnull
transforms.conf
[setnull]
REGEX = (?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Bye.
Giuseppe
Thanks Giuseppe, but unfortunately its not working, I also tried rex in search, its same.
Sorry there were two errors!
try with
(?ms).*EventCode\=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
you can test it at https://regex101.com/r/03QkUy/1
Bye.
Giuseppe
Giuseppe,
I'm getting this error
Error in 'rex' command: The regex '(?ms).*EventCode=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd' does not extract anything. It should specify at least one named group. Format: (?...).
This regex is a filter to use in regex Command or in trnsforms.conf, not in rex command.
Rex command is used to extract fields.
Bye.
Giuseppe