Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex for Windows Event from Syslog agent

leonheart78
Explorer
‎09-11-2017 12:20 AM

Hi, I'm trying to get the Target Account ID from the Windows Event parsed from a syslog agent. I'm trying to capture the Target Account Name, and Domain. The Account Name appeared in the below samples:

91275674
DEVOP0030
TEST. STUADMGR
dev.devmgr

When using Splunk regex, I could not capture all the above variations. Will love to know how can I do this extraction properly.

2017-08-30 13:37:40 Kernel.Notice 172.21.197.99 Aug 30 13:37:56 DVDMZDCPRD01.dmz.devops.edu.my MSWinEventLog 5 Security 2548728 Wed Aug 30 13:37:50 2017 4738 Microsoft-Windows-Security-Auditing N/A Audit Success DVDMZDCPRD01.dmz.devops.edu.my 13824 A user account was changed.
Subject:
Security ID: S-1-5-21-3530313057-30343534556-3718217427-2613
Account Name: svc.vendor_guest
Account Domain: DMZ
Logon ID: 0x2524625D
Target Account:
Security ID: S-1-5-21-3530313057-3021056205-3718217427-25067
||Account Name: 91275674||
||Account Domain: DMZ||
Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: 8/30/2017 1:37:50 PM
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: -
New UAC Value: -
User Account Control: -
User Parameters: -
SID History: -
Logon Hours: -
Additional Information:
Privileges: -

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzel
Communicator
‎09-11-2017 12:33 AM

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzel
Communicator
‎09-11-2017 12:33 AM

I use this regex to make the Windows Eventlog Security CIM compliant for the Change Analysis and Authentication datamodel. It works with all the events I have encounterd that have 2 accounts in the event (subject and target)

(?s)Subject\:.*?Account\s*Name\:\s*(?<src_user>[^\n]*)\n\s*Account\s*Domain\:\s*(?<src_nt_domain>[^\n]*).*?Account\s*Name\:\s*(?<user>[^\n]*)(?:\n\s*Account\s*Domain\:\s*(?<dest_nt_domain>[^\n]*)|\n)

I assumed you put the "|" around the Account Name and Domain Name to make clear what you were looking for....

Reply
Solved! Jump to solution

leonheart78
Explorer
‎09-11-2017 01:34 AM

Thanks for the regex. May I know were you able to extract the Change Attributes as well?
Thank you.

0 Karma
Reply
Solved! Jump to solution

aholzel
Communicator
‎09-12-2017 01:35 PM

I am working on that one, but from a Change Analysis DM view point, to fill the object_attrs field with the name of the attributes that where changed.

If you just want all the fields you can just create a regex for it.
I think you have 3 options for that
1) create 1 regex that will extract every field available using the <_KEY_1> and <_VAL_1> options ( read the transforms.conf documentation REGEX part)
2) create a regex for every field you want to extract
3) create 1 regex that will get all the "Changed Attributes" field, Note that this will not "hit" if one field is missing

I whould go for option 1 because it is the most flexible, despite the fact that it will give me some additional fields without a value ( for example Changed_Attributes)

0 Karma
Reply
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
Top