Refine your search:

Windows security event log regex help

0

I need a regex that can process all security events with eventid 540 that don't contain $, SYSTEM, or ANONYMOUS LOGON. I am genetically incapable of creating such a regex, so thanks for the help.

asked 28 Jun '10, 16:41

chowell's gravatar image

chowell
211
accept rate: 0%

edited 28 Jun '10, 23:45

John%20Mark's gravatar image

John Mark
411111
2 Answers:
oldestnewestmost voted
2

Are you looking for those values in specific fields, or just anywhere in the event? If you are looking for them just anywhere in the event, then I would suggest that you don't use regex at all. Simply do a search like this:

sourcetype=WinEventLog:Security EventCode=540 NOT ("SYSTEM" OR "ANONYMOUS LOGON" OR "$")

However, that may be a bit too loose. For example, the term "system" could occur else where in your event, and perhaps a clever hacker would attempt to hide logon attempts by using a "$" as part of their username,.... So perhaps it's would be better to be slightly more specific about what we want to filter out.

So, this may be a better search:

sourcetype=WinEventLog:Security "EventCode=540" NOT ("User=SYSTEM" OR "User=ANONYMOUS LOGON" OR USER="*$")

(Notice the usage of quotes around the entire expressions--this make splunk look for those literal terms in the index, rather than doing a field matching, which should result in a faster search)

I'm not sure about the USER="*$" part, that does give difference results than simply searching for "$", so you'll have to play around and see what results you really want.

link

answered 28 Jun '10, 17:54

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 28 Jun '10, 18:07

0

how about this?

eventid="540" | regex _raw!="(\$|SYSTEM|ANONYMOUS LOGON)"

link

answered 28 Jun '10, 16:45

rayfoo's gravatar image

rayfoo
1781110
accept rate: 12%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×245

Asked: 28 Jun '10, 16:41

Seen: 1,453 times

Last updated: 28 Jun '10, 23:45

Related questions

Windows Security Logs: Regex Filtering Search time

ERROR WinEventLogChannel - initOld: Failed to initialize checkpoint for Windows Event Log channel 'Security' Host is no longer forwarding WinEventLog:Security to the Linux indexer.

Error reading security event log messages on Windows 2008 Core Server

Duplicated windows security event log data with WMI

REGEX problem transforms.conf WinEventLog:Security

Regex on a WMI security and Splunk formating

regex / source stanza issue, trying to tie a regex to match start-of-line

How do you filter Windows Event Log?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.