Splunk Search

How to filter Windows Security Event Logs containing machine name as username?

caroline_fortun
Explorer

Hello everyone,

I´m trying to filter some Windows Security Event Logs that contains the machine name as the username.
To do this I created the props.conf and transforms.conf files as below at the Windows machines where I've installed Splunk Forwarder. (/etc/system/local and /etc/apps/Splunk_TA_Windows/local).

props.conf

[WinEventLog:Security]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = (?ms)EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)(.*Security ID:.*\$).*Account.*
DEST_KEY = queue
FORMAT = nullQueue

Is there any errors at my regex? Do I have to do something else?
I already put the files at the indexer too but I am still getting events.

Best Regards,
Caroline Fortunato

0 Karma
1 Solution

Lowell
Super Champion

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/


Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

View solution in original post

Lowell
Super Champion

By Splunk forwarder do you mean "Universal Forwarder"? If so, please note that the Universal forward does not handle data parsing, that's handled by the receiving system, like your Splunk Indexer.

If you place this configuration on your indexer and restart it, this filter should take effect for new events as they arrive.

This blog post may also be of interest to you: http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/


Update:

A possible, more efficient regex. (Test with your actual events before using it)

REGEX = (?ms)^[^\r\n]+[\r\n]+LogName=Security[\r\n]+SourceName=[^\r\n]+[\r\n]+EventCode=(5145|4634|4624|5140|4625|4648|4661|4662|4672|4771|4611)[\r\n].*?[\r\n]\s+Security ID:\s+[^\r\n]+\$)[\r\n]

caroline_fortun
Explorer

Hello Lowell,

I discovered the problem. I am using a heavy forwarder between the Windows Machines and the indexer so the parser occurs at the heavy forwarder.
I put the files at the heavy forwarder machine and restarted Splunk and it worked.

Thanks for your help!

Regards,
Carol

Lowell
Super Champion

Yeah, sorry missed that comment at the end the first time I read through it. I'm looking closer at the regex now. It looks inefficient, but not sure if it's actually wrong. Without a sample event it's difficult to say for sure. Have you tested it using any tools like Regexbuddy, or Kodos? Oh, keep in mind that the blog post is only relevant for the most recent versions of Splunk.

0 Karma

caroline_fortun
Explorer

I placed the files at the indexer too but it didn´t work. I´ll have a look at the post.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...