Forums: SplunkGeneral: Parse Windows Event log

Hello,

I need to parse out the message field in a windows event log.

For example:
Message=Successful Network Logon: User Name: USER Domain: DOMAIN Logon ID: () Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos

I need to be able to parse on Logon Type: 3 within transforms.conf but none of my regex's are returning what I want (or any events for that matter).

Thanks for any help

Kevin

I got what I needed with:

regex Message=".*\bLogon\s+Type:\s+(3|5).*"

to isolate Logon Types 3 & 5.

Thanks.

Actually I did not get what I wanted. The above regex matches in the search but when I put it in my transforms.conf, it is not matching:

Props.conf
[source::WinEventLog:Security]
TRANSFORMS-null= setnull_Logon_Types

Transforms.conf
[setnull_Logon_Types]
REGEX= \bLogon\s+Type:\s+(3|5)\b
DEST_KEY = queue
FORMAT = nullQueue

I want to pass all these events to the null queue and only have what's left passed on to the central Splunk server. This is at a remote server with the Splunk forwarder enabled.

Thanks for any help.

Kevin

Further testing shows that when I do this, I am also still getting everything (instead of nothin):

Props.conf
[source::WinEventLog:Security]
TRANSFORMS-null= setnull_Logon_Types

Transforms.conf
[setnull_Logon_Types]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue

So it appears the issue is not with the regex but something else. Am I matching the source properly?

Thanks.

Figured out! Didn't realize it did not care about this in Light Forwarder. Changed to regular Forwarder and all works!

You would configure this on the indexer if using a Light Forwarder: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F

Thanks for the tip. I will check this out.