Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security and Splunk Add-On for Windows

jeburkes76
Explorer
‎12-10-2018 12:16 PM

As best as I can tell there is a bug between the Splunk Enterprise Security App and Splunk Add-On for Windows. The Splunk Enterprise Security App Windows Event Log Cleared looks for sourcetype=wineventlog:security. However the Splunk Add-On for Windows props file that renames wineventlog:security back to wineventlog causing the Windows Event Log Cleared to never fire.

Additionally, the transform regex may be wrong, not sure, could not get it to fire as written so I created a custom transform, (?m)^LogName=(\S+).

0 Karma
Reply

adonio
Ultra Champion
‎12-10-2018 05:42 PM

is there a question here?
what is the version of the windows TA you are using?
iirc, the 5.0 version has those bugs and it says somewhere in the docs to go back to 4.8.4

0 Karma
Reply

jeburkes76
Explorer
‎12-14-2018 04:38 AM

I guess sort of a question, I am new to transforms and props configuration files so it was a sanity check. Maybe my team and I made a mistake and installed a later version of the Add-On for Microsoft version 5.0.1 but we believe it came with ES 5.20 when we installed hence our confusion and concern if it is a known issue. This is a test environment so maybe we missed something. Thanks for the info.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...