Splunk REGEX for WinEventLog TerminalServices-LocalSessionManager

Splunk REGEX for RDP Session Logs

Ever want to get info on Terminal Services Local Session Manager Operations logs on your Windows servers to see who attempts to RDP into your Windows servers? Well here is a Splunk REGEX Field Extraction to get the RDP session info since Splunk was not able to figure out the field/value pairs on its own. For this REGEX to be useful you need to make sure that you are ingesting the WinEventLog for Microsoft-Windows-TerminalServices-LocalSessionManager/Operational. This Event Log captures all the events around RDP session creation, usage, and tear down. It is useful to tell who logged in using RDP and if any errors occurred during the session from start to finish.

In case you are wondering how I got to the below REGEX it is because Splunk’s REGEX engine has it’s own personality and the other REGEX tools online output “standard” REGEX that Splunk did not like.

WinEventLog:Microsoft-Windows-TerminalServices-LocalSessionManager/Operational : EXTRACT-TSOpsLog_Domain_UserName
^\d+/\d+/(\d+\s+)+\d+:\d+:(\d+\s+)+(\w+\s+)+\w+=\w+\-\w+\-\w+\-\w+/(\w+\s+)+\w+=\w+\-\w+\-\w+\-(\w+\s+)+\w+=(\d+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+=\w+\d+\w+\d+\.\w+\.(\w+\s+)+\w+=\w+_(\w+\s+)+\w+=\w+\-\d+\-\d+\-(\d+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+\.\s+\w+=(\w+\s+)+\w+=(\d+\s+)+\w+=(\w+\s+)+\w+=(\w+\s+)+\w+:\s+(\w+\s+)+\w+:\s+\w+:\s+(?P\w+\\)(?P\w+)

Splunk Query for Xen Desktop Services

If you have Citrix Xen Desktop in your environment and want to check on which server they are installed and their state use these Splunk queries. It is helpful so that you don’t have to keep an active list of the Xen Desktop servers. You could keep the list of Xen Desktop servers in a lookup but these queries are dynamic which saves you the headache of keeping the lookup current. These Splunk queries are also great if you are spinning up Xen servers on demand.

There is a Splunk query for each Citrix service that runs in a Xen Desktop environment so you can create a display for each one individually if you want.

XAV Server
Citrix Audio Redirection Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxAudioSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Desktop Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”BrokerAgent” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Diagnostic Facility COM Server
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CdfSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Encryption Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix Encryption Service” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix End User Experiencing Monitoring
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”Citrix EUEM” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Group Policy Engine
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixCseEngine” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix HDX MediaStream for Flash Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxFlashSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Location and Sensor Virtual Channel Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxSensVcSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Mobile Receiver Virtual Channel Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”MRVCSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Print Manager Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”cpsvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Profile Management
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”ctxProfile” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Pvs for VMs agent
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”PvsVmAgent” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Services Manager
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”ServicesManager” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Smart Card Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CtxSmartCardSvc” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

Citrix Stack Control Service
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”StackControlService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

CitrixTelemetryService
index=”windows” eventtype=hostmon_windows Type=Service host=”*” Name=”CitrixTelemetryService” StartMode=”Auto” State=”*” | dedup host | sort host, State | table host, State

PowerShell Commands to Install Hyper-V

Install Hyper-V using Windows PowerShellPowerShell Icon

install-windowsfeature –name hyper-v -includemanagementtools –restart

Install Hyper-V using DISM.exe, run the following command from an elevated command prompt:
dism /online /enable-feature /featurename:microsoft-hyper-v

 

 

Install the management tools with Windows PowerShell, you use the Install-Windows-Feature cmdlet, as follows:
install-windowsfeature -name rsat-hyper-v-tools

Install just the Hyper-V Manager or just the Hyper-V PowerShell module, you use one of the following commands:
install-windowsfeature -name hyper-v-tools
install-windowsfeature -name hyper-v-powershell