{
"_raw": "{"Id":4634,"Version":0,"Qualifiers":null,"Level":0,"Task":12545,"Opcode":0,"Keywords":-9214364837600034816,"RecordId":24675211,"ProviderName":"Microsoft-Windows-Security-Auditing","ProviderId":"54849625-5478-4994-a5ba-3e3b0328c30d","LogName":"Security","ProcessId":816,"ThreadId":2972,"MachineName":"vmwopsadm02-dev.hq.xxx.com","UserId":null,"TimeCreated":"\/Date(1686604325474)\/","ActivityId":null,"RelatedActivityId":null,"ContainerLog":"ForwardedEvents","MatchedQueryIds":[],"Bookmark":{},"LevelDisplayName":"Information","OpcodeDisplayName":"Info","TaskDisplayName":"Logoff","KeywordsDisplayNames":["Audit Success"],"Properties":[{"Value":"S-1-5-21-3567637-1906459281-1427260136-1830845"},{"Value":"VMWOPSADM03-DEV$"},{"Value":"xxx"},{"Value":"0xbc526b"},{"Value":"3"}],"Message":"An account was logged off.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-3567637-1906459281-1427260136-1830845\r\n\tAccount Name:\t\tVMWOPSADM03-DEV$\r\n\tAccount Domain:\t\txxx\r\n\tLogon ID:\t\t0xBC526B\r\n\r\nLogon Type:\t\t\t3\r\n\r\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."}",
"source": "ForwardedEvents",
"host": "vmwitetmpxxx-tst",
"_time": 1686604325.474,
"cribl_breaker": "windows event logs"
}
Question
How to extract fields from the Microsoft-Windows-Security-Auditing
Hi @Qian Zhao, can you help us understand what you are trying to do with the event? We can definitely help you extract relevant data, but you have not provided us enough information.
Hi @Brendan Dalpe, thanks. For now, I can use the crible function (parser, flatten) to extract the fields from the original JSON object, only I don't understand how to convert the timestamp into the formatĀ %Y-%m-%dT%H:%M:%S.%f%z, it does not realize the expected format after using the auto timestamp function.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.