Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to filter Windows Events from one host using Regex?

kiran331
Builder
‎08-23-2017 02:05 PM

Hi,

How to filter out the events with EventCodes (4624, 4672, 4634) and Account _svc_abd with Security Id "S-1-5-21-34345566-23432455-2001"?

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=abc.ttt.com
TaskCategory=Logon
OpCode=Info
RecordNumber=3434545
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name:
Account Domain:
Logon ID:

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-34345566-23432455-2001
Account Name: _svc_abd
Account Domain: ttt
Logon ID: 0x4E41454
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:
Process Name:
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services:
Package Name (NTLM only): NTLM V2
Key Length: 0

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-24-2017 01:30 AM

Hi kiran331,
if you want to search out events with your conditions at search time, you have to use the rex command with the following regex

| rex "(?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd"

If instead you want to filter events before indexing (see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ) you have to insert in
props.conf

[WinEventLogs:Security]
TRANSFORMS-set= setparsing,setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 08:36 AM

Thanks Giuseppe, but unfortunately its not working, I also tried rex in search, its same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 10:02 AM

Sorry there were two errors!
try with

(?ms).*EventCode\=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd

you can test it at https://regex101.com/r/03QkUy/1
Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 10:26 AM

Giuseppe,

I'm getting this error

Error in 'rex' command: The regex '(?ms).*EventCode=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 11:00 AM

This regex is a filter to use in regex Command or in trnsforms.conf, not in rex command.
Rex command is used to extract fields.
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...