All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Windows: How to find the cause of missing Windows Security Event Log entries?

cbright
Explorer
‎05-20-2016 12:27 PM

I have searched the Answers site and cannot find an answer to why I get log off events, but intermittently am missing log on events in Splunk.

This is a big problem for us and I have opened a ticket with Splunk Support but that also went nowhere and am hoping someone has had this issue and found a cause/fix.

We on occasion see log off events, but cannot find the log on event anywhere. We do have a product called Adiscon that also grabs event log entries and it always has both events. We are using the Splunk_TA_Windows add-on with the following settings:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 560,562,565-567,4656-4658,4661-4663,4928-4934
index = wineventlog
renderXml=false

Hoping someone can help.

0 Karma
Reply

Lindaiyu
Path Finder
‎10-05-2016 06:36 AM

Have you found some solution? We got the same problem.
Thank you

0 Karma
Reply

dstaulcu
Builder
‎05-20-2016 09:12 PM

Stanza looks ok to me. As part of troubleshooting I would simplify by removing blacklist entries to see if that changes the outcome in any way with regard to the missing events.

Is the stanza you are showing the output of btool query? If not, I'd recommend running splunk.exe cmd btool inputs list WinEventLog://Security to ensure that you do not have any other conflicting inputs defined on your forwarder. If the outputs are not what you expect, add the "--debug" flag to the end of the query to show the input files corresponding to each specification associated with the stanza.

If you are getting some security events but not all security events and you are not blacklisting them on the universal forwarder, take a look at your props/transforms.conf on receivers/indexers to ensure you are not null-routing or rewriting events along the path.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...