Hi base,
When I index win logs the automated filed extraction works great. When I haven an environment with English, French and German Windows parts of the Events will be also localized. Here one example:
Category=14339
CategoryString=Kerberos-Authentifizierungsdienst
EventCode=4768
EventIdentifier=4768
EventType=4
Logfile=Security
RecordNumber=690090
SourceName=Microsoft-Windows-Security-Auditing
TimeGenerated=20130627093000.056463-000
TimeWritten=20130627093000.056463-000
Type=Überwachung erfolgreich
User=NULL
ComputerName=XXX.xx.xx
wmi_type=WinEventLog:Security
Message=Ein Kerberos-Authentifizierungsticket (TGT) wurde angefordert.
Kontoinformationen:
Kontoname: ResAdmin
Angegebener Bereichsname: XXX
Benutzer-ID: S-1-5-21-1582781344-2085187069
Dienstinformationen:
Dienstname: krbtgt
Dienst-ID: S-1-5-21-1582781344-2085187069
Netzwerkinformationen:
Clientadresse: ::1
Clientport: 0
Weitere Informationen:
Ticketoptionen: 0x40810010
Ergebniscode: 0x0
Ticketverschlüsselungstyp: 0x17
Typ vor der Authentifizierung: 2
The Top of the Event seems to be Identical for every Language but at the bottom MS switch to local. This makes the creation of searches a little bit difficult. You have to use different Fieldnames for the same data for every localization. What is the best practice to get only English fieldnames?
Thanks
Check this post from Adrian Hall. He advices to use a lookup on all the objects where a translation is needed. The difficulty is to have a lookup file with all the fields translated into the target language. Maybe this file will be release soon by Splunk.
First I though this will help, but this solution translate the value of the field not the field itself.
Thanks anyway...
Have you tried using regular expressions like that:
(?i)(?:Account Name|Kontoname):[\t]+(?P<account_name>[^\t]+)
You could set multiple indicator strings before the extraction by using (?:A|B).
I don't think so. That's mainly a Windows problem you're trying to solve. But there is a way to change the language by which the Windows source systems send their logs using the "wevtutil" utility if you are using Windows Eventlog Forwarding (perhaps by group policy) - it's "wecutil ss SUSCRIPTION_NAME /cf:RenderedText /l:en-US".
I don't know if there is perhaps a way to configure the forwarding to skip the XML rendering so that every incoming event is still raw XML and not yet rendered in a specific language.
Yep, good approach but if I would do it like this it would look like this:
(?i)(?:AccountName|German|Frensh|Spain|Nederlands|Chineese…):[\t]+(?P
Hard to handle and if I do not know which locals I have? The punctuation of the Events looking similar on every language, so maybe there is a way to “Overextract” the fieldnames…