Splunk Search

Windows security event log regex help


I need a regex that can process all security events with eventid 540 that don't contain $, SYSTEM, or ANONYMOUS LOGON. I am genetically incapable of creating such a regex, so thanks for the help.

Tags (1)
0 Karma

Super Champion

Are you looking for those values in specific fields, or just anywhere in the event? If you are looking for them just anywhere in the event, then I would suggest that you don't use regex at all. Simply do a search like this:

sourcetype=WinEventLog:Security EventCode=540 NOT ("SYSTEM" OR "ANONYMOUS LOGON" OR "$")

However, that may be a bit too loose. For example, the term "system" could occur else where in your event, and perhaps a clever hacker would attempt to hide logon attempts by using a "$" as part of their username,.... So perhaps it's would be better to be slightly more specific about what we want to filter out.

So, this may be a better search:

sourcetype=WinEventLog:Security "EventCode=540" NOT ("User=SYSTEM" OR "User=ANONYMOUS LOGON" OR USER="*$")

(Notice the usage of quotes around the entire expressions--this make splunk look for those literal terms in the index, rather than doing a field matching, which should result in a faster search)

I'm not sure about the USER="*$" part, that does give difference results than simply searching for "$", so you'll have to play around and see what results you really want.

Path Finder

how about this?

eventid="540" | regex _raw!="(\$|SYSTEM|ANONYMOUS LOGON)"

0 Karma