Getting Data In

windows 2003 server security logs

jbanda
Path Finder

I have an issue that I hope is the result of a painfully obvious misconfiguration on my part. I have a splunk indexer running the 64 bit version of splunk 4.1.4 on a rhel 5.5 64 bit machine, and there is a "similar enough" version with the same specifications I have running in a test environment. I haven't had much experience trying the windows app (mostly been using it to harvest log files from exchange and IIS servers on the windows side), but I'm trying to use the windows app to get some login reports going.

Attepting to get some information out, I noticed that our windows 2008 boxes seemed to be reporting on all 3 default event log types successfully, but for some reason, our 2003 boxes were only reporting on the application and system logs. Thinking I may have messed something up along the way, I tried it in the test splunk server we have, pointing a few test windows 2008 and 2003 boxes to it. I was getting the same results (oh, and all clients were also running 4.1.4 and were acting as light forwarders with the windows app enabled).

For comparison-sake, this is the inputs.conf file in our test environment for both the windows 2003 and windows 2008 server:

[default]
evt_dc_name =
evt_dns_name =

[WinEventLog:Application]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 0
checkpointInterval = 5

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5

[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 0

With that inputs.conf on both servers, I can see security events coming from the windows 2008 box (showing up with a sourcetype of "WinEventLog:Security", but I cannot see this same sourcetype for our windows 2003 box, although I do see the other 2 sourcetypes (WinEventLog:System and WinEventLog:Application).

I do notice this entry in the splunkd.log file on the windows 2003 server:

"INFO  WinEventLogChannel - initWinEvtApi: We must be in an XP/2k3 family OS. Switching using the old Windows Event Log api: The specified module could not be found.."

However, later on in the same log file on the same box, I see this:

"INFO  WinEventLogChannel - Initialized Windows Event Log='Security' Success; oldest_rec_id='11422142'; newest_rec_id='11476627'; total_rec='54486'
INFO  WinEventLogInputProcessor - main-thread: Processing existing Windows Event Log 'Security'"

and then later, I see this:

"WinEventLogInputProcessor - main-thread: Finished processing existing Windows Event Log 'Security': total_events='56849' with empty_msg='0'."

Looks like its at least trying to read the security events...but I'm not sure why they aren't showing up on our indexer (at least not with that sourcetype and/or associated with the correct host)

Is there anything special that I'm missing that has to be done for windows 2003 server light forwarders?

0 Karma

samjack
New Member

Have you tested using the latest version of the forwarder? That is what I would try. I doubt updating the version of the forwarder without updating the Splunk indexer version will matter much in this case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...