Windows Event # 4729

hartfoml · ‎10-03-2011

How to I extract fields that have the same name:

**Subject:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-30684
Account Name:       xxxxxxxx
Account Domain:     xxxxxx
Logon ID:       0x2ab3cdc2e

Member:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-17789
Account Name:       CN=xxxxxx,OU=yyyyyy,OU=zzzz,DC=xxx,DC=xxx,DC=com

Group:

Security ID:        S-1-5-21-3421131818-2740222167-1022849547-512
Group Name:     Domain Admins
Group Domain:       ESCG**

How do I extract out the:
Subject: Account name
Member: Account Name
Group: Group Name

BobM · ‎12-02-2011

You need a multi line EXTRACT looking for the group name followed by any number of indented lines and the words "Account Name:" A props.conf with the below should work. I added in New Logon in case you also need EventCode=4624

[WinEventLog:Security]
EXTRACT-test=(?m)^Subject:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<SubjectAccountName>[^\r\n]+)
EXTRACT-test=(?m)^Member:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<MemberAccountName>[^\r\n]+)
EXTRACT-test=(?m)^New Logon:[\r\n]+(?:\t[^\r\n]+[\r\n]+)+\t+Account Name:\s+(?<NewAccountName>[^\r\n]+)
EXTRACT-gn=(?m)^\s+Group Name:\s+(?<GroupName>[\r\n]+)

In Explanation
(?m) tells splunk to use multi line matching and
(?:\t[^\r\n]+[\r\n]+)+ matches any number of tab indented lines.

kristian_kolb · ‎12-01-2011

This looks like a single event from Win2008 WinEvtLog:Security, albeit a bit chopped up.

/k

rroberts · ‎11-28-2011

Which log is this data coming from?

Windows Event # 4729

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?