×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Antonello1
New Member
Member since: ‎03-15-2024
‎03-18-2024
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-15-2024
Activity Feed
Topics I've Started
View All

Windows log filtering

by in Splunk Enterprise
‎03-15-2024 03:40 AM
‎03-15-2024 03:40 AM
In my Splunk instance, logs are sent to the central instance via a universal forwarder and the deployment server has been enabled for the distribution of the different configurations to the various clients. For parsing windows logs the windows add-on is used which also provides a specific sourcetype. The problem is that for Windows clients we are unable to filter authentication events for: - Status (success/logoff/log failed) with EventCode:[4624->Logon success 4625->failure 4634->LogOff] - Account name. That is, we want to filter the logs that contain a certain substring in account name with the regex (always defining it within the whitelist where the event filter for the various eventcodes indicated above is contained). At present, events reach the master instance filtered only by eventcode rather than by eventcode and substring contained in the account name field. Could you help me? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-18-2024 01:58 AM