Re: How is Splunk creating the signature_id field ...

ejwade · ‎11-08-2023

I'm trying to troubleshoot some Windows Event Log events coming into Splunk.

The events are stream processed, and come in as JSON. Here is a sample (obfuscated).

{"Version":"0","Level":"0","Task":"12345","Opcode":"0","Keywords":"0x8020000000000000","Correlation_ActivityID":"{99999999-9999-9999-9999-999999999999}","Channel":"Security","Guid":"99999999-9999-9999-9999-999999999999","Name":"Microsoft-Windows-Security-Auditing","ProcessID":"123","ThreadID":"12345","RecordID":"999999","TargetUserSid":"AD\\user","TargetLogonId":"0xXXXXXXXXX"}

There are a number of indexed fields as well, including "Computer" and "EventID".

What's interesting - signature_id seems to be created, but when I search on it, it fails. In this event, signature_id is shown under "Interesting Fields" with the value 4647, but if I put signature_id=4647 in the search line, it comes back with no results. If I put EventID=4647, it comes back with the result. I'm using Smart Mode.

This led me to digging into the Fields configurations (alias', calculations, etc.) but I couldn't figure out how signature_id was created in the Windows TA. Can anyone provide any insight?

Thank you!
Ed

PickleRick · ‎11-08-2023

It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or search-time extraction (for which you can just brute-force grep all your .conf files if all else fails).

m_pham · ‎11-08-2023

Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is created.

ejwade · ‎11-08-2023

Hi @m_pham. I am using a standard source and sourcetype.

sourcetype="xmlwineventlog"
source="WinEventLog:Security"

Thank you!

m_pham · ‎11-09-2023

So a few questions:

What is the version number of the Windows TA are you using on your search head?

What version number of the Windows TA on your UF for this data? What does your inputs.conf look like for the following stanza? [WinEventLog://Security]

Like @PickleRick said in his comment, this doesn't look like a standard Windows Event Log.

ejwade · ‎11-14-2023

The Windows TA on the search heads is 8.6.0, and the Windows TA on the HF us 9.0.6.

Here is the inputs.conf stanza for Security.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = test_i
renderXml=true

The events are stream processed, and come in as JSON.

PickleRick · ‎11-15-2023

What do you mean by "stream processed"?

This config stanza should produce XML-formatted evetns, not jsons. So something is actively fiddling with your data before it's ingested. You should check the config of that solution.

PickleRick · ‎11-09-2023

OK. This is definitely not what XML windows events look like.

How is Splunk creating the signature_id field for Windows Event Logs?

troubleshooting

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases