topic Re: eventid.net in All Apps and Add-ons

eventid.net

m1ster1985 — Wed, 30 Sep 2020 03:37:59 GMT

Dear all,

Could you help me in resolving my issue I cannot address?
I installed Add-on for Microsoft Windows and did everything according to instruction. Now, Splunk is receiving logs from 1 windows computer. I can see them in the data summary. The next step was the installation eventid.net app to consolidate and visualize received logs. However, when I installed and configure it according to the instruction, eventid.net does not show any logs on its dashboards.
I have no idea where should I look into to find out why eventid does not work. Please, could you help me in troubleshooting this problem? I am ready to provide any screenshots of my configuration.

These are some details of my configuration.
I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

I also copied this configuration to the deployment server (/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local). The configuration is successfully transmitted to the computer with Universal Forwarder. (I checked the configuration of the UF)

However, when I look at event logs in the "Search and Report", I see that logs are coming with the index = "main" instead of "wineventlog" as I pointed in the inputs.conf
selected fields:
host = ComputerNAME
index = main
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog

I do not understand why event logs are coming with the index = main.
I configured eventid.net in the following way:
"The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)"
Thank you.

Re: eventid.net

jarizeloyola — Fri, 10 Jan 2020 14:04:17 GMT

Is the configuration in the inputs.conf sending to the right index?
Is the data is stored in a different index? you can update the macros.conf [event_sources] section.

Re: eventid.net

m1ster1985 — Wed, 30 Sep 2020 03:42:49 GMT

Hello,

This is the first problem. I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

I have no idea why event logs are coming with the index = main.
I configured eventid.net in the following way:
"The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)"

Re: eventid.net

jarizeloyola — Wed, 15 Jan 2020 04:57:06 GMT

can you run a btool on the uf , just to check what inputs.conf it is getting ?

Re: eventid.net

m1ster1985 — Wed, 15 Jan 2020 05:14:49 GMT

Unfortunately, I can't copy the output of the btool command because it is too big and can't attach a file due to a lack of point for karma.
Probably, you want to see particular strings?