topic Re: How to capture Windows Event Code 4672? in Security

How to capture Windows Event Code 4672?

don625 — Thu, 21 May 2015 14:12:24 GMT

I'm not sure where to look, but I was trying to capture Event ID/Code 4672, which is in the Windows Security logs, but I cannot find it within Splunk. I am using Universal Forwaders and so far I am seeing everything I'm looking for except that Event code. Any idea where I can look to see if it's being filtered? I've looked in E:>Program Files>Splunk>etc>system>local at the transforms.conf file and don't see it listed. I wasn't sure if that is a filter of what to include or exclude.
Thanks.

Re: How to capture Windows Event Code 4672?

dflodstrom — Mon, 28 Sep 2020 20:01:52 GMT

Are you positive that this event is being logged at the source? The filtering would happen in .../Splunk/etc/apps/Splunk_TA_windows/default/

Re: How to capture Windows Event Code 4672?

don625 — Thu, 21 May 2015 20:21:33 GMT

Thanks for the response. Yes, I can see Event ID: 4672 in the Windows Security logs for the server I am testing. Strange. I tried just searching for 4672 and get nothing. I have about 80 forwarders installed and verified that I am collecting the Security logs. I tested a few looking in the Windows Security log and searching on some Event ID's, 4624 and 4768 and can find those without issue searching Splunk.

Re: How to capture Windows Event Code 4672?

dflodstrom — Mon, 28 Sep 2020 20:01:55 GMT

/Splunk_TA_windows/default/inputs.conf should have this by default for WinEventLog://Security:

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

Unless you have a transforms somewhere that applies to the source/sourcetype that applies to these events I am also confused. Have you tried using btool to help determine what configurations are being applied to your source/sourcetype?

Re: How to capture Windows Event Code 4672?

don625 — Mon, 28 Sep 2020 20:02:01 GMT

The default\inputs.conf looks like this. I couldn't find that code in tranforms. I haven't use btools. I will look into that. Thanks.

[WinEventLog://System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

Re: How to capture Windows Event Code 4672?

dflodstrom — Mon, 28 Sep 2020 20:02:04 GMT

Since these inputs are disabled by default are you enabling them somewhere? .../Splunk_TA_windows/local/ or otherwise? Perhaps where they are enabled they're also being blacklisted.

Re: How to capture Windows Event Code 4672?

muebel — Fri, 22 May 2015 04:42:04 GMT

first I would verify that you are indexing the Security Eventlog.

[WinEventLog://Security]
disabled = 1

Once you are sure that you are indexing the security eventlog, just search for "4672" on that sourcetype and see if anything comes up.

Re: How to capture Windows Event Code 4672?

dflodstrom — Fri, 22 May 2015 12:30:33 GMT

To enable collection of the security log you'll want disabled=0

[WinEventLog://Security]
 disabled = 0

Re: How to capture Windows Event Code 4672?

don625 — Fri, 22 May 2015 13:13:03 GMT

I was searching and found then enabled here - Program Files/Splunk/etc/system/local/inputs.conf. I'm guessing this overrides the default inputs.conf and I do have a ton of Windows Security events, just not finding that specific event for some reason. We had a 3rd party set this up and they are out of business, so I was trying to figure it out. I may have to get a consultant to help figure this out. Thanks for all of the help.

/Splunk/etc/system/local/inputs.conf
[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

Re: How to capture Windows Event Code 4672?

don625 — Fri, 22 May 2015 15:29:43 GMT

In /Splunk/etc/system/local/inputs.conf it's set to 0 and I am getting a bunch of Windows Security events, except 4672. So far I cannot figure out why it's not being collected.

[WinEventLog://Application]
disabled = 0

[WinEventLog://ForwardedEvents]
disabled = 1

[WinEventLog://HardwareEvents]
disabled = 1

[WinEventLog://Internet Explorer]
disabled = 1

[WinEventLog://Security]
disabled = 0

[WinEventLog://Setup]
disabled = 0

[WinEventLog://System]
disabled = 0

Re: How to capture Windows Event Code 4672?

dflodstrom — Mon, 28 Sep 2020 20:02:25 GMT

Check Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf to see if there is anything related to that event code or your Windows Security log. This is a noisy event so they may have blacklisted it.

Are you deploying any configurations to them that might have this event blacklisted ... custom TA or the Splunk_TA_windows with local settings?

Are you sending these events to an indexer or is this a single instance Splunk deployment? There might be configurations on your indexer/heavy forwarders that are filtering this event if you have them

Re: How to capture Windows Event Code 4672?

don625 — Mon, 28 Sep 2020 20:02:27 GMT

I checked the files, Program Files/Splunk/etc/system/local/props.conf and Program Files/Splunk/etc/system/local/transforms.conf and cannot find the code.

Yes the events are coming from servers with Universal forwarders. I don't think we are blocking with any configs to them. I checked one of the DCs and the props or transforms files in the SplunkUniversalForwarder/etc/apps/Splunk_TA_windows/default directory don't have anything with that event and those files aren't in the local directory.

This is a single instance of Splunk.

Re: How to capture Windows Event Code 4672?

jkeellogic — Thu, 21 Jan 2016 19:43:21 GMT

I have a similar interest except I want to capture Win Event code 4738.

I know and collected winEventlog:security to my Splunk environment, and i would like to capture code 4738 from each UF to send to me as and alert. Maybe store it in a different index?

I have hit a wall in the number of UF that I received security logs. In my case its 16 out of 31 I collect.

I still want all of the security logs but I would like to extract 1 2 or 3 Eventcode from the security logs as quickly as possible.

jim