I am having an issue trying to get the group name for windows security event ID 4765. I am a little new to using regex so I am not sure why it is not working. I used http://regex101.com to help build the regex and it seemed to work. But when I went to run in in Splunk I didn't get any results.
REGEX:
Group:\n\sSecurity ID:\s\s(?[^\n]+)
Example:
04/19/2018 01:21:15 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4756
EventType=0
Type=Information
ComputerName=DC.ACME.COM
TaskCategory=Security Group Management
OpCode=Info
RecordNumber=1098888999
Keywords=Audit Success
Message=A member was added to a security-enabled universal group.
Subject:
Security ID: ACME\HELLOWORLD
Account Name: HELLOWORLD
Account Domain: ACME
Logon ID: 0x33B39999
Member:
Security ID: ACME\testhello
Account Name: CN=TESTHELLO,OU=LA,OU=ACME_USERS,DC=ACME,DC=com
Group:
Security ID: ACME\HELLO-WORLD_PP
Account Name: HELLO-WORLD_PP
Account Domain: ACME
Additional Information:
Privileges: -
Your RegEx is not as flexible as it needs to be. Windows uses both newlines
and linefeeds
(it is a long, sad story). Try this:
Group:[\r\n\s]+Security ID:\s+([^\r\n\s]+)
I am using the app but it isn't extracting a few fields for some eventcodes. I had to extract some other fields already.
are you using the windows TA?
https://splunkbase.splunk.com/app/742/
supposed to have all the extractions there
hope it helps