topic Re: How is Splunk creating the signature_id field for Windows Event Logs? in Splunk Enterprise

How is Splunk creating the signature_id field for Windows Event Logs?

ejwade — Wed, 08 Nov 2023 16:36:38 GMT

I'm trying to troubleshoot some Windows Event Log events coming into Splunk.

The events are stream processed, and come in as JSON. Here is a sample (obfuscated).

{"Version":"0","Level":"0","Task":"12345","Opcode":"0","Keywords":"0x8020000000000000","Correlation_ActivityID":"{99999999-9999-9999-9999-999999999999}","Channel":"Security","Guid":"99999999-9999-9999-9999-999999999999","Name":"Microsoft-Windows-Security-Auditing","ProcessID":"123","ThreadID":"12345","RecordID":"999999","TargetUserSid":"AD\\user","TargetLogonId":"0xXXXXXXXXX"}

There are a number of indexed fields as well, including "Computer" and "EventID".

What's interesting - signature_id seems to be created, but when I search on it, it fails. In this event, signature_id is shown under "Interesting Fields" with the value 4647, but if I put signature_id=4647 in the search line, it comes back with no results. If I put EventID=4647, it comes back with the result. I'm using Smart Mode.

This led me to digging into the Fields configurations (alias', calculations, etc.) but I couldn't figure out how signature_id was created in the Windows TA. Can anyone provide any insight?

Thank you!
Ed

Re: How is Splunk creating the signature_id field for Windows Event Logs?

m_pham — Wed, 08 Nov 2023 18:44:30 GMT

Hi - can you post name of the sourcetype to the event where EventID=4647 comes up? You can then search for the sourcetype name in Splunk_TA_windows/default/props.conf to see how signature_id field is created.

Re: How is Splunk creating the signature_id field for Windows Event Logs?

PickleRick — Wed, 08 Nov 2023 19:22:30 GMT

It does not look like any standard Splunk Windows-related sourcetype so it's hard to say from experience. You need to find the source of the file yourself. It might be either an indexed field or search-time extraction (for which you can just brute-force grep all your .conf files if all else fails).

Re: How is Splunk creating the signature_id field for Windows Event Logs?

ejwade — Thu, 09 Nov 2023 01:00:16 GMT

Hi @m_pham. I am using a standard source and sourcetype.

sourcetype="xmlwineventlog"
source="WinEventLog:Security"

Thank you!

Re: How is Splunk creating the signature_id field for Windows Event Logs?

PickleRick — Thu, 09 Nov 2023 10:55:02 GMT

OK. This is definitely not what XML windows events look like.

Re: How is Splunk creating the signature_id field for Windows Event Logs?

m_pham — Thu, 09 Nov 2023 16:59:51 GMT

So a few questions:

What is the version number of the Windows TA are you using on your search head?

What version number of the Windows TA on your UF for this data? What does your inputs.conf look like for the following stanza? [WinEventLog://Security]

Like @PickleRick said in his comment, this doesn't look like a standard Windows Event Log.

Re: How is Splunk creating the signature_id field for Windows Event Logs?

ejwade — Tue, 14 Nov 2023 21:18:06 GMT

The Windows TA on the search heads is 8.6.0, and the Windows TA on the HF us 9.0.6.

Here is the inputs.conf stanza for Security.

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = test_i
renderXml=true

The events are stream processed, and come in as JSON.

Re: How is Splunk creating the signature_id field for Windows Event Logs?

PickleRick — Wed, 15 Nov 2023 09:33:38 GMT

What do you mean by "stream processed"?

This config stanza should produce XML-formatted evetns, not jsons. So something is actively fiddling with your data before it's ingested. You should check the config of that solution.