Getting Data In

indexer does not log security logs

arber
Communicator

Hi,

after we upgrade the universal forwarder on version 6.2 the security logs are not indexed anymore in the indexer. The setup, application and Active Directory logs are logged correctly but the security are not.. The security logs are coming as i can see content of them via tcpdump but they are not indexed.

We have some other servers not DCs that are sending security logs correctly even after the upgrade

Has someone experienced this issue ?

Thanks

0 Karma

mbarbaro
Path Finder

Hello,

someome have any update on this issue?

Thanks

0 Karma

Richfez
SplunkTrust
SplunkTrust

mbarbaro,

This question was essentially not actually a problem - the UF restarted from the beginning of the Event Logs and in doing so made it look like it wasn't working any more. When they waited a bit it all ended up fine.

If you have a similar problem, I'd suggest compiling together the information about it the creating your own, new question to ask about your specific issue.

Happy Splunking,
Rich

0 Karma

arber
Communicator

The problem was fixed... Basically for unknown reason the universal forwarder logged a lot of old events ..so we need to wait a couple o hours before it started logging the recent events

0 Karma

Runals
Motivator

There are a number of under the hood changes with the 6.2 UF. The long and short of what I would look at is if you are pushing, via the DS, the old version of event viewer logging (monitor:) vs the 6.x version (monitor://) in an inputs.conf that will get you. The other is the local inputs.conf is likely in the Splunk_TA_windows app that gets installed on the UF. There are items turned on there depending on how it was installed that will send the events to the windows and wineventlog indexes.

Don't know if the above helps or not. We have had to fight through a number of other, similar issues as UFs in our environment start rolling to 6.2. /sigh.

0 Karma

Runals
Motivator

To expand on something above - because the inputs.conf file lives in the Splunk_TA_windows now you might be running into an order of precedence issue with whatever your package is that you are pushing from your DS.

0 Karma

arber
Communicator

Thanks for the info. We upgraded from 6.1.3 to 6.2 version on the UF. We tried to push the settings via DS without changing anything at local/inputs.conf. The settings on Splunk_TA_windows app that we pushed were correct. But the logs from security were missing.

Then we tried to remove the setting from the DS. try a a fresh install and select the setting manually, Setup, System,application and security .. all the other logs were present just the security were missing.

0 Karma

dolejh76
Communicator

I would assume that if you check all inputs.conf as I mentioned above and just set them all to grab security - then you wouldn't have a problem (with exception of the default as I never change that one)

0 Karma

arber
Communicator

here is the list of setting that we push via DS.
WinEventLog://Application]
disabled = 0
index = winevents

[WinEventLog://Security]
disabled = 0
index = winevents_security

[WinEventLog://System]
disabled = 0
index = winevents

[WinEventLog://Setup]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = winevents

I tried even to copy these setting to the /system/local/inputs.conf ..restarted the service ..but still i could not see the security logs.. The index is there

0 Karma

dolejh76
Communicator

Have you tried to reinstall the UF? What is the splunkd log saying on the UF? Did you use deployment server to push out configs to the UF?
Restart UF service after updating configs?

John

0 Karma

arber
Communicator

yeah sure i did. we use the deployment server to push the settings.. also tried to just select the settings without using the deployment but still the security did not show up

0 Karma

dolejh76
Communicator

Search for all inputs.conf on the UF - make sure you don't have one overwriting the settings.

I know its a stretch but a few other things to try to narrow it down...

Install UF on a fresh machine and make sure it is able to dump security logs to server... try to narrow down problem being on server side, or UF side...

Can also remove UF from server, make sure that folder, all reg entries etc are removed prior to reinstall.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...