https://community.dynatrace.com/t5/Log-Analytics/A-call-for-collaboration-Windows-Security-Logs-Parsing/m-p/280733#M1394 <P>So, we need to start parsing Windows Security logs and, boy oh boy, are they all over the place...</P> <P>&nbsp;</P> <P>Since Microsoft doesn't seem to stick with dedicated field names and log formats between the various event types, this is a daunting task...</P> <P>&nbsp;</P> <P>This means that we will basically need to setup custom processors in our OpenPipeline pipeline for each event ID we are interested in parsing.</P> <P>&nbsp;</P> <P>I just built one for 4740 (Account Lockout), and, before I start building pipelines for each ID we're interested in, I was hoping somebody has already done some of this work and would be willing to share!</P> <P>&nbsp;</P> <P>To kickstart the party, I'll share my parser for 4740 events here:</P> <LI-CODE lang="markup">parse content, """LD:winlog.message EOLWIN EOLWIN? 'Subject:' EOLWIN LD 'Security ID:' SPACE LD:winlog.subject.sid EOLWIN LD 'Account Name:' SPACE LD:winlog.subject.account.name EOLWIN LD 'Account Domain:' SPACE LD:winlog.subject.account.domain EOLWIN LD 'Logon ID:' SPACE LD:winlog.subject.logon.id EOLWIN EOLWIN? 'Account That Was Locked Out:' EOLWIN LD 'Security ID:' SPACE LD:winlog.account.sid EOLWIN LD 'Account Name:' SPACE LD:winlog.account.name EOLWIN EOLWIN? 'Additional Information:' EOLWIN LD 'Caller Computer Name:' SPACE LD:winlog.account.computer_name"""</LI-CODE> <P>&nbsp;</P> <P>Even if you just have one or two parsers for Windows Security events, please feel free to share!&nbsp; Hopefully we can make a nice little "repository" of helpful Windows Security parsers here for people to use!</P> <P>And please share classic parsers too!&nbsp; They usually work perfectly with OpenPipeline or can be made to work with very little modification.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 04 Jul 2025 06:58:05 GMT 36Krazyfists 2025-07-04T06:58:05Z https://community.dynatrace.com/t5/Log-Analytics/A-call-for-collaboration-Windows-Security-Logs-Parsing/m-p/280733#M1394 <P>So, we need to start parsing Windows Security logs and, boy oh boy, are they all over the place...</P> <P>&nbsp;</P> <P>Since Microsoft doesn't seem to stick with dedicated field names and log formats between the various event types, this is a daunting task...</P> <P>&nbsp;</P> <P>This means that we will basically need to setup custom processors in our OpenPipeline pipeline for each event ID we are interested in parsing.</P> <P>&nbsp;</P> <P>I just built one for 4740 (Account Lockout), and, before I start building pipelines for each ID we're interested in, I was hoping somebody has already done some of this work and would be willing to share!</P> <P>&nbsp;</P> <P>To kickstart the party, I'll share my parser for 4740 events here:</P> <LI-CODE lang="markup">parse content, """LD:winlog.message EOLWIN EOLWIN? 'Subject:' EOLWIN LD 'Security ID:' SPACE LD:winlog.subject.sid EOLWIN LD 'Account Name:' SPACE LD:winlog.subject.account.name EOLWIN LD 'Account Domain:' SPACE LD:winlog.subject.account.domain EOLWIN LD 'Logon ID:' SPACE LD:winlog.subject.logon.id EOLWIN EOLWIN? 'Account That Was Locked Out:' EOLWIN LD 'Security ID:' SPACE LD:winlog.account.sid EOLWIN LD 'Account Name:' SPACE LD:winlog.account.name EOLWIN EOLWIN? 'Additional Information:' EOLWIN LD 'Caller Computer Name:' SPACE LD:winlog.account.computer_name"""</LI-CODE> <P>&nbsp;</P> <P>Even if you just have one or two parsers for Windows Security events, please feel free to share!&nbsp; Hopefully we can make a nice little "repository" of helpful Windows Security parsers here for people to use!</P> <P>And please share classic parsers too!&nbsp; They usually work perfectly with OpenPipeline or can be made to work with very little modification.</P> <P>&nbsp;</P> <P>Thanks!</P> Fri, 04 Jul 2025 06:58:05 GMT https://community.dynatrace.com/t5/Log-Analytics/A-call-for-collaboration-Windows-Security-Logs-Parsing/m-p/280733#M1394 36Krazyfists 2025-07-04T06:58:05Z