https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270476#M31377 <P>The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.<BR /> blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" </P> Wed, 10 May 2017 04:13:37 GMT kheo_splunk 2017-05-10T04:13:37Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270469#M31370 <P>Hi, </P> <P>I am trying to look up data related to <CODE>EventCode="4662"</CODE>, but it does not show in Splunk. </P> <P>I am using Universal Forwarders and nothing is being blacklisted within the inputs.conf for Splunk_TA_windows.<BR /> Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:</P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = wineventlog renderXml=false </CODE></PRE> <P>I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.</P> <P>Not sure how to troubleshoot that.</P> <P>I am running a single Splunk server. </P> Tue, 29 Sep 2020 08:40:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270469#M31370 ttchorz 2020-09-29T08:40:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270470#M31371 <P>Sorry but your config file shows 4662 as blacklist. Is it a typo?</P> Fri, 05 Feb 2016 14:12:39 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270470#M31371 renjith_nair 2016-02-05T14:12:39Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270471#M31372 <P>No, the regular expression <CODE>Message="Object Type:\s+(?!groupPolicyContainer)"</CODE> filters out the junk<BR /> I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer</P> Fri, 05 Feb 2016 14:26:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270471#M31372 ttchorz 2016-02-05T14:26:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270472#M31373 <P>Could you add some context, why are these specific events "4662" and "566" in your config? Do they definitely appear in your indexed data?</P> Fri, 05 Feb 2016 16:19:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270472#M31373 jpanderson 2016-02-05T16:19:22Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270473#M31374 <P>These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details <A href="http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/">http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/</A>) <BR /> GPO changes were done today and I can see these events on Windows Event Viewer on DC. </P> Fri, 05 Feb 2016 16:35:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270473#M31374 ttchorz 2016-02-05T16:35:31Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270474#M31375 <P>I'm running into the same issue. Even when I comment out the blacklisting altogether for EventCode 4662, Splunk is still not indexing any 4662 events (junk or not). I've confirmed that there are other events coming in from the Windows Security Log so I don't believe that permissions are an issue here. </P> Wed, 31 Aug 2016 13:32:00 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270474#M31375 pkiripolsky 2016-08-31T13:32:00Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270475#M31376 <P>I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.</P> <P>That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.</P> Wed, 31 Aug 2016 14:18:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270475#M31376 edekker 2016-08-31T14:18:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270476#M31377 <P>The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.<BR /> blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)" </P> Wed, 10 May 2017 04:13:37 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Windows-How-to-troubleshoot-why/m-p/270476#M31377 kheo_splunk 2017-05-10T04:13:37Z