Getting Data In

Windows events: Why no data in the "Message" field?

Bill_B
Communicator

I have a heavy forwarder on a win2008R2 server. Windows security logs are being written to a file on that forwarder and then forwarded to Splunk enterprise instance. The problem I am having is that there is no information or data appearing in the "Message=" part of the event. Can anyone tell me why I am not getting this data and how I can fix it?
I have looked at the Windows logs on the forwarder and the "Message" information is there, but not showing in Splunk searches. Here is a sample of a Windows event as it shows in a Splunk search:

09/23/2014 10:32:21 AM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4740

EventType=0

Type=Information

ComputerName=xxx.xxx.xxx

TaskCategory=User Account Management

OpCode=Info

RecordNumber=348148916

Keywords=Audit Success

Message=

Thank you for your help.

0 Karma

adonio
Ultra Champion

hello there,
per this webiste: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
this is an example of EventCode 4740 A user account was locked out:

Subject:

   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7

Account That Was Locked Out:

   Security ID:  WIN-R9H529RIO4Y\John
   Account Name:  John

Additional Information:

   Caller Computer Name: WIN-R9H529RIO4Y

it does not contain a message.
therefore, message field as no value

hope it clears it a little

0 Karma

hrawat_splunk
Splunk Employee
Splunk Employee

Fixing it for 6.5.5.

adonio
Ultra Champion

very odd,
i thought 6.6.0 was just released yesterday...

0 Karma

thuntley
New Member

Bill, were you able to figure this out? We're experiencing the same in our environment.

0 Karma

Bill_B
Communicator

I talked to support and apparently when reading windows events from a file, the message data is not collected. I did not find a fix for this, but you may also want to consult support.

0 Karma

Jeff_Lightly_Sp
Communicator

FWIW, my props and tranforms.conf are identical to yours and I'm not seeing that behavior. My REGEX experience is slight too but I don't think these examples are blacklisting. To clarify, you are looking at .conf's in the default folder but they could be superceded by conf's in the local folder..I'm just sayin'.

0 Karma

Bill_B
Communicator

I can confirm that there is no blacklisting. I think it may have to do with the REGEX for reporting the message, but I have no REGEX knowledge/experience.
I'm seeing this in SPLUNK_HOME/etc/system/default/props.conf:

[source::WinEventLog...]
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER = ([\r\n](?=\d{2}/\d{2}/\d{2,4} \d{2}:\d{2}:\d{2} [aApPmM]{2}))
**REPORT-MESSAGE = wel-message, wel-eq-kv, wel-col-kv**
KV_MODE=none
TRANSFORMS-FIELDS = strip-winevt-linebreaker

and in transforms.conf:

**[wel-message]**
REGEX = (?sm)^(?<_pre_msg>.+)\nMessage=(?.+)$
CLEAN_KEYS = false

**[wel-eq-kv]**
SOURCE_KEY = _pre_msg
DELIMS     = "\n","="
MV_ADD     = true

**[wel-col-kv]**
SOURCE_KEY = Message
REGEX      = \n([^:\n\r]+):[ \t]++([^\n]*)
FORMAT     = $1::$2
MV_ADD     = true
0 Karma

Jeff_Lightly_Sp
Communicator

In my limited time using splunk, I've not seen an app automatically do blacklisting.

I've done blacklisting in inputs.conf like:

[WinEventLog://Security]
blacklist1 = EventCode=4662 Message="Object Type:\s+(?!groupPolicyContainer)"

0 Karma

Bill_B
Communicator

No blacklisting was done manually. Could it have been blacklisted automatically by an app or config? I'm checking out the inputs/outputs/transforms files on the hvy forwarder now. Any suggestions on what I should be looking for? Thanks Jeff.

0 Karma

Jeff_Lightly_Sp
Communicator

Is your inputs.conf for the HF blacklisting this field?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...