×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
samsonusmc
New Member
Member since: ‎12-03-2019
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-03-2019
Activity Feed
View All

AD FS Audit Logs (ADFS Audit) XML issues: Why is t...

by in All Apps and Add-ons
‎05-31-2020 01:52 PM
‎05-31-2020 01:52 PM
I am using Splunk TA for Windows infrastructure configured to consume the XML logs. The problem is the RAW doesn't parse out the XML that is contained w/in the XML log very well (see raw output below) It parses the "Outer" XML fine, but the "Inner" XML, not so much. (See all the lt; and gt;) &amp;gt; and &amp;lt; is just to get through this WYSIWYG editor Anyone have good advice on how to get splunk to parse and store this properly? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'> <System> <Provider Name='AD FS Auditing'/> <EventID Qualifiers='0'>1200</EventID> <Level>0</Level> <Task>3</Task> <Keywords>0x80a0000000000000</Keywords> <TimeCreated SystemTime='2020-05-31T20:31:28.875321100Z'/> <EventRecordID>27322577</EventRecordID> <Channel>Security</Channel> <Computer>Computer</Computer> <Security UserID='S-1-5-21----SID'/> </System> <EventData> <Data>3fb4c7cb-865b-4d89-3e02-0080010000b3</Data> <Data>&amp;lt;?xml version="1.0" encoding="utf-16"?&amp;gt; &amp;lt;AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit"&amp;gt; &amp;lt;AuditType&amp;gt;AppToken&amp;lt;/AuditType&amp;gt; &amp;lt;AuditResult&amp;gt;Success&amp;lt;/AuditResult&amp;gt; &amp;lt;FailureType&amp;gt;None&amp;lt;/FailureType&amp;gt; &amp;lt;ErrorCode&amp;gt;N/A&amp;lt;/ErrorCode&amp;gt; &amp;lt;ContextComponents&amp;gt; &amp;lt;Component xsi:type="ResourceAuditComponent"&amp;gt; &amp;lt;RelyingParty&amp;gt;RelyingParty&amp;lt;/RelyingParty&amp;gt; &amp;lt;ClaimsProvider&amp;gt;AD AUTHORITY&amp;lt;/ClaimsProvider&amp;gt; &amp;lt;UserId&amp;gt;UserId&amp;lt;/UserId&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="AuthNAuditComponent"&amp;gt; &amp;lt;PrimaryAuth&amp;gt;http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows&amp;lt;/PrimaryAuth&amp;gt; &amp;lt;DeviceAuth&amp;gt;false&amp;lt;/DeviceAuth&amp;gt; &amp;lt;DeviceId&amp;gt;N/A&amp;lt;/DeviceId&amp;gt; &amp;lt;MfaPerformed&amp;gt;false&amp;lt;/MfaPerformed&amp;gt; &amp;lt;MfaMethod&amp;gt;N/A&amp;lt;/MfaMethod&amp;gt; &amp;lt;TokenBindingProvidedId&amp;gt;true&amp;lt;/TokenBindingProvidedId&amp;gt; &amp;lt;TokenBindingReferredId&amp;gt;false&amp;lt;/TokenBindingReferredId&amp;gt; &amp;lt;SsoBindingValidationLevel&amp;gt;TokenBoundAndValid&amp;lt;/SsoBindingValidationLevel&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="ProtocolAuditComponent"&amp;gt; &amp;lt;OAuthClientId&amp;gt;N/A&amp;lt;/OAuthClientId&amp;gt; &amp;lt;OAuthGrant&amp;gt;N/A&amp;lt;/OAuthGrant&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;Component xsi:type="RequestAuditComponent"&amp;gt; &amp;lt;Server&amp;gt;Server&amp;lt;/Server&amp;gt; &amp;lt;AuthProtocol&amp;gt;SAMLP&amp;lt;/AuthProtocol&amp;gt; &amp;lt;NetworkLocation&amp;gt;Intranet&amp;lt;/NetworkLocation&amp;gt; &amp;lt;IpAddress&amp;gt;IpAddress&amp;lt;/IpAddress&amp;gt; &amp;lt;ForwardedIpAddress /&amp;gt; &amp;lt;ProxyIpAddress&amp;gt;N/A&amp;lt;/ProxyIpAddress&amp;gt; &amp;lt;NetworkIpAddress&amp;gt;N/A&amp;lt;/NetworkIpAddress&amp;gt; &amp;lt;ProxyServer&amp;gt;N/A&amp;lt;/ProxyServer&amp;gt; &amp;lt;UserAgentString&amp;gt;Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko&amp;lt;/UserAgentString&amp;gt; &amp;lt;Endpoint&amp;gt;/adfs/ls/wia&amp;lt;/Endpoint&amp;gt; &amp;lt;/Component&amp;gt; &amp;lt;/ContextComponents&amp;gt; &amp;lt;/AuditBase&amp;gt;</Data> </EventData> </Event>   ... View more
Labels

Re: Splunk 8 - TSTATS WHERE IN () does not work w...

by in Splunk Search
‎12-03-2019 09:40 AM
‎12-03-2019 09:40 AM
Nevermind.. Known issue https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/KnownIssues 2019-11-11 SPL-179357, SPL-179700 Negated subnet CIDR filter doesn't work in search. Workaround: Workaround: limits.conf: [search] use_search_evaluator_v2=false Examples searches that don't filter out values: index=_internal (NOT clientip=127.0.0.0/8) | stats count BY clientip index=_internal (clientip!=127.0.0.0/8) | stats count BY clientip index=_internal | stats count BY clientip | search (clientip!=127.0.0.0/8) | stats sum(count) BY clientip | noop search_optimization=false Filtering with | where is OK: index=_internal | where NOT cidrmatch("127.0.0.0/8", clientip) | stats count BY clientip ... View more

Splunk 8 - TSTATS WHERE IN () does not work with ...

by in Splunk Search
‎12-03-2019 09:01 AM
‎12-03-2019 09:01 AM
Providing Splunk 8 the following: | tstats allow_old_summaries=t count from datamodel=Network_Traffic.All_Traffic where (nodename = All_Traffic.Traffic_By_Action.Allowed_Traffic) (All_Traffic.src_zone="INET") (All_Traffic.dest_ip=172.20.17.119) NOT All_Traffic.src_ip IN (40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14)by All_Traffic.src_ip, All_Traffic.action | sort - count It doesn't filter out the subnets we asked to exclude... BUT it works on 7.3 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM