I get two entries in splunk for the same record (RecordNumber=10993503). One with host name as FQDN and source type as follows:
host = DC1.domain.name
source = WMI:WinEventLog:System
sourcetype = WMI:WinEventLog:System
The other has the following without the FQDN and WMI:
host = DC1
source = WinEventLog:System
sourcetype = WinEventLog:System
Does anyone know how this is happening?
Thanks
Tom
2/23/15
2:44:57.000 PM
20150223144457.000000
Category=0
CategoryString=NULL
EventCode=5805
EventIdentifier=5805
EventType=1
Logfile=System
RecordNumber=10993503
SourceName=NETLOGON
TimeGenerated=20150223194457.000000-000
TimeWritten=20150223194457.000000-000
Type=Error
User=NULL
ComputerName=DC1.domain.name
wmi_type=WinEventLog:System
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred:
Access is denied.
Collapse
host = DC1.domain.name
source = WMI:WinEventLog:System
sourcetype = WMI:WinEventLog:System
› 2/23/15
2:44:57.000 PM
02/23/2015 02:44:57 PM
LogName=System
SourceName=NETLOGON
EventCode=5805
EventType=2
Type=Error
ComputerName=DC1.domain.name
TaskCategory=The operation completed successfully.
OpCode=Info
RecordNumber=10993503
Keywords=Classic
Message=The session setup from the computer BOBCAT-8 failed to authenticate. The following error occurred:
Access is denied.
Collapse
host = DC1
source = WinEventLog:System
sourcetype = WinEventLog:System
found that Snare was also installed and posting to Splunk. That is why one was a sourcetype=WMI:WinEventLog:System and the other was not (just WinEventLog:System)
found that Snare was also installed and posting to Splunk. That is why one was a sourcetype=WMI:WinEventLog:System and the other was not (just WinEventLog:System)
Hi @fcuisit
Are you also the user who posted this question, just using a different account?
Oh yeah didn't realize it.
Are you sure you only have one inputs.conf entry that pulls System event logs?
If you go to event viewer on the source host, do you just see a single event being logged?