hi ,
We could be the issue regarding the absence of Windows Security Command Line " EventCode=4688 ParentProcessName="C:\\Windows\\System32\\cmd.exe" events.
I have not blacklisted it in any of the app.
Thanks.
@AL3Z Can you may be run btool to check the full configuration?
Hi, Where exactly we can run this btool to check the configurations. I dnt have back end access can we check in ui.
@AL3Z
$SPLUNK_HOME$/bin/splunk btool inputs list --debug
@bharathkumarnec Hi,
After investigating I came across audit process creation is this causing this issue ??
https://docs.splunk.com/Documentation/ES/7.2.0/Admin/ConfigureLogging
@AL3Z please check if the source is generating the data in the event viewer with the information that you are looking ?
Yes, it is generating the data in the event viewer!