topic Re: Why does Security Essentials search for windows event log data with sourcetype instead of source? in All Apps and Add-ons

Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Fri, 21 Dec 2018 15:43:32 GMT

The 5.x version of the Windows TA logs data with source=WinEventLog:Security and source=wineventlog ... all the items related to windows event log data fail in this app. This is really annoying. What is the best way to fix this? Do we need to modify the TA for windows settings or is this a compatibility issue with Security Essentials only working with the older 4.x versions of the windows TA?

Thanks!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Fri, 21 Dec 2018 19:46:08 GMT

We did the first major update for the Windows TA 5 breaking changes a few releases back, but it turns out there was an entire category of searches that were missed. This has been fixed now in Version 2.3.1, posted Jan 4 2019. Thank you for reporting this!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Fri, 21 Dec 2018 19:59:05 GMT

I just updated to 2.3.0 this morning before posting this question and I'm still seeing security items for windows reporting no data... if I open the query in search and change it from sourcetype=*WinEventLog:Security to source= it finds the data.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Tue, 29 Sep 2020 22:27:57 GMT

Do me a favor -- try doing a _bump and see if that changes the search (sometimes Splunk Enterprise caches things when it shouldn't..). Go to http(s)://your-splunk-server:8000/en-US/_bump and then click the button that pops up there. Refresh the page you're seeing the issue on, and let me know if it goes away. If not, can you confirm where in the app (e.g., what page, what example, etc.) you see the issue, so I can dive in deeper and see what my regex search is missing?

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Wed, 02 Jan 2019 13:36:51 GMT

Hi @alastor -- happy new year! I wanted to check in again and see if you were able to try this out.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Wed, 02 Jan 2019 13:53:27 GMT

Hey David, I haven't. I've been on vacation over the holidays. I should try it out before the end of the week though! I will let you know! Thanks!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Wed, 02 Jan 2019 13:54:41 GMT

Excellent! Sounds good on both fronts (the vacation, and being able to try it out)!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Wed, 02 Jan 2019 14:39:57 GMT

I did the bump on all of my search heads... still see the no data found on windows data with live data selected on the dashboards. the windows items all have the wrong search string for 5.x windows app:

| metasearch earliest=-2h latest=now sourcetype="WinEventLog:Security" index= | head 100 | stats count

if I change sourcetype to source it loads data.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Wed, 02 Jan 2019 15:10:34 GMT

Okay interesting, I switched browsers and now reports are showing up correctly for the most part. (many now show an Accelerated option as well as demo and live data) and those mostly work. there are some errors still but I think it's additional configuration that needs to be done.

Some pages don't load anything though:
Windows Event Log Clearing Events doesn't show any messages now when switching to live data.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

hrottenberg_spl — Tue, 29 Sep 2020 22:33:28 GMT

Confirmed w/another customer. @talbinder_splunk is going to add some detail on app version, searches etc.

@David : I'm looking at the Splunk_TA_Windows CIM tags, and it's based on the eventtype=wineventlog_security (among others). Eventtypes.conf says:

[wineventlog_security]
search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security

However, the customer sees that sec essentials is using sourcetype=WinEventLog:Security, which clearly won't match.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Wed, 02 Jan 2019 17:38:46 GMT

okay so if I go into the Data Source Checker I still find a fair number of failures in Windows Event lookups that are pointing at sourcetype instead of source. I did a find -exec grep -i in the app looking for sourcetype=wineventlog: and only found a single xml file and a bunch of static data entries that matched... so there has to be another area where this mismatch is being picked up.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Wed, 02 Jan 2019 17:56:04 GMT

Found the bug! Working on it now, and I'll get a fixed version posted shortly. Thank you 🙂

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

talbinder_splun — Wed, 02 Jan 2019 18:09:08 GMT

@David

Here's the update based on the customer's feedback that @hrottenberg_splunk mentioned:

Sec Essentials use cases:

New Logon Type for User

Disabled Update Service

Monitor Unsuccessful Windows Updates

New RunAs Host

Successful Login of Account for Former Employee

In Splunk demo env, most cases bring up events with identical source and sourcetype names, which is odd.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Wed, 02 Jan 2019 21:55:49 GMT

I just submitted the corrected version. It usually gets posted within a couple of days, so figure Friday / Monday. Let me know if it's urgent and I can get a fixed version to you offline!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Wed, 02 Jan 2019 22:02:09 GMT

I just submitted the corrected version. It usually gets posted within a couple of days, so figure Friday / Monday. Let me know if it's urgent and I can get a fixed version to you offline!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

talbinder_splun — Thu, 03 Jan 2019 17:11:10 GMT

Thank you, @David.

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Sat, 05 Jan 2019 02:37:02 GMT

Fixed in SSE 2.3.1, now live!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Sat, 05 Jan 2019 02:37:09 GMT

Fixed in SSE 2.3.1, now live!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

David — Sat, 05 Jan 2019 02:37:32 GMT

Fixed in SSE 2.3.1, now live!

Re: Why does Security Essentials search for windows event log data with sourcetype instead of source?

alastor — Thu, 10 Jan 2019 16:11:26 GMT

David fixed this with an update.