The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde replied to Nikita's discussion Count failures and success via transaction"How are these transactions linked together... by a field called "ID"? If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it. Paste some samples and…"
WinEventLog:Security filter
Hi all,i have some problems to filter logs from windows forwarders (not light forwarder).
Example:
LogName=Security
SourceName=Security
EventCode=540
EventType=8
Type=Success Audit
ComputerName=ISAPROXY
User=userxxx
Sid=S-1-5-21-127xxxxx01-97xxxxx52-4263xxxxx-xxxx
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3991297
Message=Successful Network Logon:
User Name: myuser
Domain: XXXIT
Logon ID: (0x0,0x4D7D2B66)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: XXX080
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
SourceName=Security
EventCode=540
EventType=8
Type=Success Audit
ComputerName=ISAPROXY
User=userxxx
Sid=S-1-5-21-127xxxxx01-97xxxxx52-4263xxxxx-xxxx
SidType=1
Category=2
CategoryString=Logon/Logoff
RecordNumber=3991297
Message=Successful Network Logon:
User Name: myuser
Domain: XXXIT
Logon ID: (0x0,0x4D7D2B66)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: XXX080
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
I need to match "Logon Type : 3" and remove it before it would be indexed.
I've tried to add this regexp
transforms.conf
[no_event]
REGEX = (?ms)(Logon Type:\s(3|7|60))
DEST_KEY = queue
FORMAT = nullQueue
[no_event]
REGEX = (?ms)(Logon Type:\s(3|7|60))
DEST_KEY = queue
FORMAT = nullQueue
but it doesn't work.
Any idea?
best regards
Views: 16
© 2012 Created by Michael Wilde.
