Refine your search:

Duplicate Field Extraction - Failed Logins in Windows 2008 Security Logs

1
1

I'm trying to perform a seemingly simple task, which is to search for failed logins in my AD environment. Here's the search I used found in another Answer;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"

Great! I found some failed logins. Now I want specific information out of this event which is the "Account Name" of the user who's having a problem. Ewwww, but with Microsoft's lovely log format, they so graciously supply TWO "Account Name" fields with the same name;

11/15/10 03:41:00 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4625
EventType=0
Type=Information
ComputerName=SERVERNAME.DOMAIN.NAME
TaskCategory=Logon
OpCode=Info
RecordNumber=30965331
Keywords=Audit Failure
Message=An account failed to log on.

Subject:
    Security ID:        S-1-5-18
    Account Name:       SERVERNAME$  <-- 1st occurrence
    Account Domain:     DOMAIN
    Logon ID:       0x3e7

Logon Type:         8

Account For Which Logon Failed:
    Security ID:        S-1-0-0
    Account Name:       username    <-- 2nd occurrence
    Account Domain:     domain.name

Failure Information:
    Failure Reason:     Unknown user name or bad password.
    Status:         0xc000006d
    Sub Status:     0xc000006a

Process Information:
    Caller Process ID:  0x1a40
    Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
    Workstation Name:   SERVERNAME
    Source Network Address: 11.22.33.44
    Source Port:        2453

Detailed Authentication Information:
    Logon Process:      Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0
<snip>

I want that second occurrence of "Account Name" (which holds username). Now you may already be thinking, hey buddy this question has been asked before -- go search because the answers out there (one, two) are to use "| eval newVar=mvindex(Account_Name,1)"...

...but hear me out. It's not behaving as expected.

So I adjust my search to store the 2nd occurrence of "Account Name" in a new variable and dump them into a table;

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| eval newVar=mvindex(Account_Name,1)
| table Account_Name newVar

Here's the problem, this results in;

SERVERNAME$    <blank>

I can't get the value of the 2nd occurrence. Reading the documentation on Parse Fields With Multiple Values doesn't shed any light on my problem.

So I tried grabbing the last value; "newVar=mvindex(Account_Name,-1)" but that outputs blank as well. So I start to question if mvindex is doing anything... ...but the strange thing is that this "newVar=mvindex(Account_Name,0)" seems to store/retrieve just fine despite it not being the data I want.

Can someone point me in the right direction? Thanks in advance.

Running 4.1.5 Linux x86_64

ziegfried Solution

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCode<="537") OR (EventCode>="547" AND EventCode<="549") hoursago="4"
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<Wanted_Account>\V+)"
| table _time Account_Name Wanted_Account ComputerName Failure_Reason src_ip Workstation_Name

asked 15 Nov '10, 23:03

pstraw's gravatar image

pstraw
6218
accept rate: 100%

edited 20 Nov '10, 18:23

When you show Account_Name as an enabled field in the Event Viewer, do you get multiple occurrences of Account_Name or just 1 occurrence with the value being the 1st extraction (SERVERNAME$)?

(17 Nov '10, 07:10) hulahoop ♦

Account_Name in the Events Table/View shows the 1st occurrence which typically is "-" or SERVERNAME$

I am correct in my understanding that the Events view/table, you can not display custom/new variables? Those will only display in the Results view/table?

(17 Nov '10, 16:56) pstraw
2 Answers:
oldestnewestmost voted
0

How are you extracting the Account_Name field(s)?
What does this return?

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex field=_raw max_match=99 "Account Name:\s+(?<Account_Name>\w+\$?)" 
| eval Wanted_Account=mvindex(Account_Name,1)
| table Wanted_Account
link

answered 16 Nov '10, 23:23

bwooden's gravatar image

bwooden ♦
2.9k1310
accept rate: 37%

added results of your query to the original post. sure wish there was a code tag function in comments. thanks for your help so far.

(17 Nov '10, 16:49) pstraw

thank you bwooden! your rex helped.

(17 Nov '10, 19:21) pstraw
0

An options is to extract the Account name after the ocurrence of "Account For Which Logon Failed":

source="WinEventLog:Security" EventCode="4625" OR EventCode="539" OR 
(EventCode>="529" AND EventCo`de<="537") OR (EventCode>="547" AND 
EventCode<="549") hoursago="4" 
| rex "(?ms)Account For Which Logon Failed.+?Account Name:\s+(?<wanted_account>\V+)"
| table wanted_account
link

answered 17 Nov '10, 17:06

ziegfried's gravatar image

ziegfried ♦
10.1k1618
accept rate: 52%

edited 20 Nov '10, 14:18

wanted_account in the Results Table returns blank for this query.

(19 Nov '10, 18:48) pstraw

I've forgot to add the multiline and dot-all flag to the regex. I've edited the search expression above.

(20 Nov '10, 14:18) ziegfried ♦

your query is working now. edit to remove the stray in EventCode<="537"

(20 Nov '10, 18:13) pstraw
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×145
×89
×47

Asked: 15 Nov '10, 23:03

Seen: 2,207 times

Last updated: 20 Nov '10, 18:23

Related questions

Windows 2008/2003 Server Not resolving SID

Disabling or removing extra description text in Windows 2008 event logs?

What's a best practice for ignoring Windows 2008 security events

Windows 2008 Server Event Viewer Logs

"Account_Name" field listing in events 4624, 4768 and 4769 (Windows 2008)

Error reading security event log messages on Windows 2008 Core Server

Alerting on Windows Event Logs

Applications and Services Logs

windows 2003 server security logs

Windows Event Logs stop forwarding - why?

Copyright © 2005-2012 Splunk Inc. All rights reserved.