I am having a problem with field extraction of some Windows event logs. I have an example log below.
08/05/2014 09:59:00 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4887
EventType=0
Type=Information
ComputerName=issuingca.my.domain
TaskCategory=Certification Services
OpCode=Info
RecordNumber=1981173
Keywords=Audit Success
Message=Certificate Services approved a certificate request and issued a certificate.
Request ID: 5001
Requester: my\user1
Attributes:
CertificateTemplate:DomainInternalIPSECv1
ccm:issuingca.my.domain
Disposition: 3
SKI: aa aa d2 64 ef a1 46 0f e2 2e 92 aa ce ec 1d 81 99 4b aa aa
Subject: CN=TestSubject
So if I search for this and use rex to extract the fields I don't get any problem. Example below.
index="ca_logs" host="issuingca*" EventCode=4887 | rex "(?ms)EventCode=4887\s*\n.*Message=Certificate Services (?<action>.*?)[:\.]\s*\n.*?Requester:\s*(?<requester_domain>[^\\\\]+)\\\\(?<requester_name>.*?)\s*\n.*CertificateTemplate:(?<certificate_template>.*?)\s*\n.*"
Running the above, I extract the fields I'm expecting. I get:
- action
- requester_domain
- requester_name
- certificate_template
So I then create a new field extraction on Splunk web. Settings > Fields > field extractions > New.
Destination app = activedirectory
Name = 4887-fields
Apply to = sourcetype = WinEventLog:Security
Type = inline
Extraction/Transform = (?ms)EventCode=4887\s*\n.*Message=Certificate Services (?<msad_action>.*?)[:\.]\s*\n.*?Requester:\s*(?<requester_domain>[^\\\\]+)\\\\(?<requester_name>.*?)\s*\n.*CertificateTemplate:(?<certificate_template>.*?)\s*\n.*
It creates a new rule called "WinEventLog:Security : EXTRACT-4887-fields". But when I search "index="ca_logs" host="issuingca*" EventCode=4887", I don't get the field extraction occurring. I've set the permissions so that its available to the activedirectory application (this app only instead of private). Can anyone shed light on what I'm doing wrong?
