Getting Data In

Filtering on Both EventCode and Logon Type for Forwarder

Scarecrowddb
Explorer

Hi All,

I'm presently forwarding a number of different events to a receiver. It's working fine for complete events, (i.e 4729, 4728 etc.) but I would like to be able to forward on Both the Event ID and Logon Type.

For example in the below log's the EventCode is 4624 but the Logon Type is 3. I would like to be able to select EventCode=4624 and Logon_Type=(2|10). I've tried the below however I can't get it to select anything... I'm also thinking that the actual Logon Type is actually in the Message Field... But I'm not sure about this one...

Any help would be appreciated!

---transforms.conf---

[WindowsLogonEvent675]
REGEX = (?msi)EventCode=4624.*(Message=Logon Type:*2|10)
DEST_KEY = _TCP_ROUTING
FORMAT = forwarder

---example event log---

20110307143629.000000
Category=12544
CategoryString=Logon
ComputerName=DomainController.company.com
EventCode=4624
EventIdentifier=4624
EventType=4
Logfile=Security
RecordNumber=17680457
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20110307043629.730128-000
TimeWritten=20110307043629.730128-000
Type=Audit Success
User=NULL
wmi_type=WinEventLog:Security
Message=An account was successfully logged on.

Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0

Logon Type: 3

New Logon: Security ID: S-1-5-21-1275210071-113007714-1343024091-24644

Process Information: Process ID: 0x0 Process Name: -

Network Information: Workstation Name:
Source Network Address: 10.10.10.10 Source Port: 2537

Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

1 Solution

Ayn
Legend

There seems to be a problem with your regex. The regex

(Message=Logon Type:*2|10)

will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).

Something like this should work:

REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)

View solution in original post

Ayn
Legend

There seems to be a problem with your regex. The regex

(Message=Logon Type:*2|10)

will match either only the exact text "Message=Logon Type:2", or "Message=Logon Type2" without the colon or finally "10" (the other half of the regex).

Something like this should work:

REGEX = (?msi)EventCode=4624.*Logon Type:\s*(2|10)

yannK
Splunk Employee
Splunk Employee

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.

see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf

example:

[WinEventLog:Security]
disabled = 0
blacklist=566,800-850

0 Karma

Scarecrowddb
Explorer

Thank you!!!!! That was driving me insane (which wasn't a long trip)!

Cheers!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...