Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter Windows Events from one host using Regex?

kiran331
Builder
‎08-23-2017 02:05 PM

Hi,

How to filter out the events with EventCodes (4624, 4672, 4634) and Account _svc_abd with Security Id "S-1-5-21-34345566-23432455-2001"?

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=abc.ttt.com
TaskCategory=Logon
OpCode=Info
RecordNumber=3434545
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name:
Account Domain:
Logon ID:

Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: S-1-5-21-34345566-23432455-2001
Account Name: _svc_abd
Account Domain: ttt
Logon ID: 0x4E41454
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID:
Process Name:
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services:
Package Name (NTLM only): NTLM V2
Key Length: 0

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-24-2017 01:30 AM

Hi kiran331,
if you want to search out events with your conditions at search time, you have to use the rex command with the following regex

| rex "(?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd"

If instead you want to filter events before indexing (see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad ) you have to insert in
props.conf

[WinEventLogs:Security]
TRANSFORMS-set= setparsing,setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCodes\=(4624|4672|4634).*Security\sID:\s-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 08:36 AM

Thanks Giuseppe, but unfortunately its not working, I also tried rex in search, its same.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 10:02 AM

Sorry there were two errors!
try with

(?ms).*EventCode\=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd

you can test it at https://regex101.com/r/03QkUy/1
Bye.
Giuseppe

0 Karma
Reply

kiran331
Builder
‎08-28-2017 10:26 AM

Giuseppe,

I'm getting this error

Error in 'rex' command: The regex '(?ms).*EventCode=(4624|4672|4634).*Security\sID:\sS-1-5-21-34345566-23432455-2001\s+Account Name:\s_svc_abd' does not extract anything. It should specify at least one named group. Format: (?...).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-28-2017 11:00 AM

This regex is a filter to use in regex Command or in trnsforms.conf, not in rex command.
Rex command is used to extract fields.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...