Solved: Why am I receiving no WinEventlog:Security events ...

mark320i · ‎02-21-2015

I am new to Splunk trying to fill in for someone that has left the company and the company could not afford to continue service this time around.

I am trying to read Event ID 4625 and 4624. What I am noticing is that I am getting NO Security events. I do however receive Setup events. I am using the Universal Forwarder to get events from Windows 7 and Server 2008 R2 machines. At home I am using Workgroup and at Work a Domain, same results on both.

As for the search I enter the following: sourcetype=WinEventLog:S*
I also enter in 4625* OR 4624*
I can view the events via the Event View so I know the machine in question has the events. Just need to track to see if it is leaving the target machine and going to the indexer and then if the indexer is for some reason filtering the events.

Splunk version 6.0.182037
Splunk Universal Forwarder 6.2.1-245427

Any help or pointing to docs would be helpful. I have been reading a lot of the posts trying things, but nothing seems to help and I am running out of time!!

Thanks in Advance.

ulikabbq · ‎02-21-2015

Does you inputs.conf have

[WinEventLog://Security]
index = indexname
disabled = 0

if not add that in and restart the forwarder service.

View solution in original post

mark320i · ‎02-21-2015

I am receiving Security events from the Indexer which I use a Universal forwarder to send events to itself instead of point to the files. I am still not seeing Security events from the standalone Windows2008R2 Server. As before I am still getting the setup event, performance events but no security events.

Is a trusted certificate required for this transaction? I did not configure that part of the Universal Forwarder.

ulikabbq · ‎02-21-2015

Does you inputs.conf have

[WinEventLog://Security]
index = indexname
disabled = 0

if not add that in and restart the forwarder service.

mark320i · ‎02-21-2015

I just received this error message on the indexer.

received event for unconfigured/disabled/deleted index='indexname' with source='source::WinEventLog:Security' host='host::ASUS' sourcetype='sourcetype::WinEventLog:Security' (2 missing total)

mark320i · ‎02-21-2015

I did find reference to this in the inputs.conf edit doc, what is interesting is this seems to be a default setting. Do you know why it did not work? Is this an issue with Splunk or the OS that requires it to be specifically listed?

ulikabbq · ‎02-21-2015

I think it would only be a default setting if you selected it during the installation of the forwarder. Most people leave those things undefined and manually configure the inputs.conf.

ulikabbq · ‎02-21-2015

set the index name to an index that exists on your system. you can set it to 'main' if you want it in the main index

mark320i · ‎02-21-2015

First THANKS!!!!

where is this documented in the Splunk manuals???

mark320i · ‎02-21-2015

Thanks for the response!!
I am assuming that I am adding this to the Universal forwarder inputs.conf file? I did go ahead and add the text and have restarted twice. I had a similar statement but disabled = false previously. Still no success.

Why am I receiving no WinEventlog:Security events from the universal-forwarder?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!