Splunk Search

Problem with Windows Security logs field extractor

Aexyn
Engager

Hi guys,

I'm auditing a file server of my domain (access, read, write...) with Windows event logs and Splunk, and it is rather functional.

However I have a problem with the "intelligent file extraction".
A standard collected security log has the following structure:

06/23/2016 03:08:11 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=Information
ComputerName=
TaskCategory=Partage de fichiers détaillé
OpCode=Informations
RecordNumber=20907498
Keywords=Succès de l’audit
Message=Un objet du partage réseau a été vérifié afin de savoir si l’accès souhaité peut être accordé au client.

Sujet :
ID de sécurité : ...
Nom du compte : Someone
Domaine du compte : ...
ID d’ouverture de session : ...

Informations sur le réseau :

Type d’objet : File
Adresse source : ...
Port source : ...

Informations de partage :
Nom de partage : ...
Chemin d’accès du partage : ...
Nom cible relatif : ...

Informations sur la demande d’accès :
Masque d’accès : ...
Accès : SYNCHRONIZE
Lecture données (ou liste de répertoire)
ReadAttributes

Résultat de la vérification d’accès :
SYNCHRONIZE: Accordé par D:(A;;FA;;;WD)
Lecture données (ou liste de répertoire): Accordé par D:(A;;FA;;;WD)
ReadAttributes: Accordé par D:(A;;FA;;;WD)

Here we have the "Accès" (access) field which have 3 values (it could be more, it depends of the user action on the file), a set of value corresponding to the real action of the user (write, save, read...).

My problem is the intelligent field extractor just consider Access is the first value, other values are considered as proper fields, since Windows Logs don't always use the same pattern...

I tried to manually extract fields, with the native Splunk functionnality or with the Field Extractor App. I don't know if my log is too long, but it is truncated after "ID de Sécurité" (Security ID).

Do you know how to do?

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]{2}" | makemv delim="\n" Acesses
0 Karma

Aexyn
Engager

Thank's for your reply.

How can I manage the fact there is not always the same number or field? In my example there are 3 lines, but I have to manage other logs with more or less values.
Sometimes there are 5 fields, sometimes 1.
The only indicator is the blank line (\n\n or maybe \r\n\r\n) after the Access field.

0 Karma

woodcock
Esteemed Legend

My answer creates a multi-valued field that can have many values, one for each item in the list. The double-newline terminator indicates the end of the list. Just try it.

0 Karma

Aexyn
Engager

It seems that doesn't work. I have tried modifying a little the expression, since the exact format is :

...
Informations sur la demande d’accès :
(1tab)Masque d’accès :(1tab)0x100081
(1tabs)Accès :(1space)(1tab)SYNCHRONIZE
(4tabs)Lecture données (ou liste de répertoire)
(4tabs)ReadAttributes

...

with tabulations, but without success.

0 Karma

woodcock
Esteemed Legend

The only reason that I can see that it might now work is if there is whitespace between the newlines at the end so try this

 ... | rex "(?ms)^\s*Accès:\s+(?<Acesses>.*?)[\r\n]\s*[\r\n]" | makemv delim="\n" Acesses
0 Karma

Aexyn
Engager

It don't seem to work :(. The mystery is still running.

0 Karma
Get Updates on the Splunk Community!

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...