All Apps and Add-ons

sourcetype="WinEventLog:Security" vs sourcetype="WMI:WinEventLog:Security"

sideview
SplunkTrust
SplunkTrust

I'm not sure if this is something that I did on this system, or something the windows app did maybe, but why do I have all my local winEventLog data getting indexed twice?

everything comes in as both: sourcetype="WinEventLog:Security" andsourcetype="WMI:WinEventLog:Security"`.

And can someone tell me which one I should turn off?

At a higher level it's quite silly that all of the source keys for the windows inputs are set to the exact same value as the sourcetype. I would expect something more along the lines of:

  1. sourcetype=WinEventLog:Security" source="WMI"
  2. sourcetype=WinEventLog:Security" source="localEventLog"
1 Solution

snerge
Engager

I can confirm that I have the same behavior on a brand new install (with Windows App) running on a Windows 2008 R2 64bits as local system account. It indexes everything twice but I'm not sure they are exactly the same as you can see on my screenshot :

Splunk Screenshot

You can see that one host is indexed as DC02 and the one is indexed with the domain name. You can also see that the Application logs matches at 3944 events, the System logs matches at 3210 but the Security log from WinEventLog has 20 more events than WMI:WinEventLog at the exact same update time.

I have also noticed that the difference between WinEventLog and WMI:WinEventLog is even bigger if you run Splunk as "Domain Administrator"

Finally in Windows App, when you try to run any search query related to Event logs, it only searches for events from WinEventLog and not from WMI:WinEventLog thus you will only get results for the localhost unless you edit the queries.

That is what I have experienced so far.

Follow up :

After further testing, It appears to me that Windows App forces local Event logging which logs informations as WinEventLog. When you enable remote log collection, it uses WMI:WinEventLog. I won't be using Windows App on my deployment so I will be turning off local logging and using WMI only as they finally seem to be collecting the same information.

View solution in original post

snerge
Engager

I can confirm that I have the same behavior on a brand new install (with Windows App) running on a Windows 2008 R2 64bits as local system account. It indexes everything twice but I'm not sure they are exactly the same as you can see on my screenshot :

Splunk Screenshot

You can see that one host is indexed as DC02 and the one is indexed with the domain name. You can also see that the Application logs matches at 3944 events, the System logs matches at 3210 but the Security log from WinEventLog has 20 more events than WMI:WinEventLog at the exact same update time.

I have also noticed that the difference between WinEventLog and WMI:WinEventLog is even bigger if you run Splunk as "Domain Administrator"

Finally in Windows App, when you try to run any search query related to Event logs, it only searches for events from WinEventLog and not from WMI:WinEventLog thus you will only get results for the localhost unless you edit the queries.

That is what I have experienced so far.

Follow up :

After further testing, It appears to me that Windows App forces local Event logging which logs informations as WinEventLog. When you enable remote log collection, it uses WMI:WinEventLog. I won't be using Windows App on my deployment so I will be turning off local logging and using WMI only as they finally seem to be collecting the same information.

proctorgeorge
Path Finder

I believe they are equal because in the end, they both are probably making the same WMI query.

But, that said, I usually turn off the WMI one because the Sourcetype is longer.

They both come from the Windows app, the first one comes from an entry in wmi.conf and the second from an inputs.conf entry.

I believe they both get turned on if you choose to turn on every WMI input by default and also turn on every WinEventLog input as well during install, though that might not be the case. I have only noticed it happening on my 4.2 Indexer after I upgraded from 4.1.x with upgraded windows app as well.

gpullis
Communicator

sourcetype="WinEventlog:Security" is a Windows instance of Splunk getting its own event log.

sourcetype="WMI:WinEventlog:Security" is a Windows instance getting the event log of (usually) a remote system via WMI queries.

I'd turn off the WMI one.

Typically "source=" refers to the specific file the event is coming from and "sourcetype" is a more meta value of what kind of source it is. This makes sense when Splunk is monitoring files, but because Windows event data isn't thought of as a file, the convention breaks down.

Maybe Splunk should use the path to the .evt file as the source. That might be nice when you're splunking in restored .evt files. 🙂

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...