Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

WinEventLog:Security - Unexpected Increase in Events

jeremyarcher
Path Finder
‎07-09-2015 08:59 PM

This isn't specifically a Splunk question but the effects of this have put my Splunk server into craziness.

On July 5th (late in the evening) ourl systems started generating a crazy number of AD Event Code 4624 events. Usually they would do around 10-15 per hour. Now they are doing 18-20k per hour.

Has anyone seen anything like this before? Our domain controllers (Win2012R2) were patched that day but no group policy changes.

Anyone else seen anything similar or a way to tune the number of these down?

Tags (1)
0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-10-2015 05:19 AM

Assuming you are running a Universal Forwarder on the source of these logs, you could try the following in limits.conf:

[thruput]
maxKBps = <integer>
* If specified and not zero, this limits the speed through the thruput processor to the specified rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of events this indexer processes to the rate (in KBps) you specify.

Reducing this setting might help to throttle the number of events you receive. Actually, I am not sure how Splunk handles the remaining data; I would presume it just piles up in the buffer of the forwarder until that is full and then use the disk as buffer, just as the fowarder does with indexing acknowledgement enabled. The way I understood you, you want the overflowing events dropped, but I don't know how to influence this behavior.

If you want to figure out the root of this problem and in the meantime disregard all those events, you can simply route them to the nullqueue. See here for how that is done (your regex would then just contain 4624).

0 Karma
Reply

jeremyarcher
Path Finder
‎07-10-2015 06:29 AM

Thanks! This is helpful for keeping things under control until I can find the root cause.

0 Karma
Reply

jeffland
SplunkTrust
SplunkTrust
‎07-11-2015 11:25 PM

I have also just heard of this nice little solution in-between indexing none and all such events.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...