I can't seem to figure out why i am not getting all of the Security logs.. I have checked the Blacklists. I can see event id 5136 and 5141 but I am missing 4720. These events are coming from the DC.
4720 is creating an Account
5136 is Mod an Account
5141 delete an Acccount
Here is what is on the server.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist3 = EventCode="5156" Message=""
blacklist4 = EventCode="4656" Message=""
blacklist5 = EventCode="5158" Message=""
blacklist8 = EventCode="4690" Message=""
blacklist9 = EventCode="4673" Message=""
blacklist10 = EventCode="4660" Message=""
index = siem
renderXml=false
sourcetype=wineventlog
_meta = envir::PROD
[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5
index = siem
renderXml=false
sourcetype=wineventlog
_meta = envir::PROD
Hi @acsanders,
in order to help you further it would be great if you could provide us with the inputs.conf from your Universal Forwarders that are installed on your DCs.
Below is what the inputs looks like.
Also I have validated that the 4720 shows in the event log.