I'm trying to troubleshoot some Windows Event Log events coming into Splunk.
The events are stream processed, and come in as JSON. Here is a sample (obfuscated).
{"Version":"0","Level":"0","Task":"12345","Opcode":"0","Keywords":"0x8020000000000000","Correlation_ActivityID":"{99999999-9999-9999-9999-999999999999}","Channel":"Security","Guid":"99999999-9999-9999-9999-999999999999","Name":"Microsoft-Windows-Security-Auditing","ProcessID":"123","ThreadID":"12345","RecordID":"999999","TargetUserSid":"AD\\user","TargetLogonId":"0xXXXXXXXXX"}
There are a number of indexed fields as well, including "Computer" and "EventID".
What's interesting - signature_id seems to be created, but when I search on it, it fails. In this event, signature_id is shown under "Interesting Fields" with the value 4647, but if I put signature_id=4647 in the search line, it comes back with no results. If I put EventID=4647, it comes back with the result. I'm using Smart Mode.
This led me to digging into the Fields configurations (alias', calculations, etc.) but I couldn't figure out how signature_id was created in the Windows TA. Can anyone provide any insight?
Thank you!
Ed
It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or search-time extraction (for which you can just brute-force grep all your .conf files if all else fails).
Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is created.
Hi @m_pham. I am using a standard source and sourcetype.
sourcetype="xmlwineventlog"
source="WinEventLog:Security"
Thank you!
So a few questions:
What is the version number of the Windows TA are you using on your search head?
What version number of the Windows TA on your UF for this data? What does your inputs.conf look like for the following stanza? [WinEventLog://Security]
Like @PickleRick said in his comment, this doesn't look like a standard Windows Event Log.
The Windows TA on the search heads is 8.6.0, and the Windows TA on the HF us 9.0.6.
Here is the inputs.conf stanza for Security.
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = test_i
renderXml=true
The events are stream processed, and come in as JSON.
What do you mean by "stream processed"?
This config stanza should produce XML-formatted evetns, not jsons. So something is actively fiddling with your data before it's ingested. You should check the config of that solution.
OK. This is definitely not what XML windows events look like.