Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to filter Windows Events from one host using Regex?

kiran331
Builder
‎08-23-2017 02:05 PM

Hi,

How to filter out the events with EventCodes (4624, 4672, 4634) and Account _svc_abd with Security Id "S-1-5-21-34345566-23432455-2001"?

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=abc.ttt.com
TaskCategory=Logon
OpCode=Info
RecordNumber=3434545
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name:
Account Domain:
Logon ID:

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-34345566-23432455-2001
Account Name: _svc_abd
Account Domain: ttt
Logon ID: 0x4E41454
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:
Process Name:
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services:
Package Name (NTLM only): NTLM V2
Key Length: 0

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-24-2017 01:30 AM

Hi kiran331,
if you want to search out events with your conditions at search time, you have to use the rex command with the following regex

| rex "(?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd"

If instead you want to filter events before indexing (see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ) you have to insert in
props.conf

[WinEventLogs:Security]
TRANSFORMS-set= setparsing,setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 08:36 AM

Thanks Giuseppe, but unfortunately its not working, I also tried rex in search, its same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 10:02 AM

Sorry there were two errors!
try with

(?ms).*EventCode\=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd

you can test it at https://regex101.com/r/03QkUy/1
Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 10:26 AM

Giuseppe,

I'm getting this error

Error in 'rex' command: The regex '(?ms).*EventCode=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 11:00 AM

This regex is a filter to use in regex Command or in trnsforms.conf, not in rex command.
Rex command is used to extract fields.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...