topic Re: Splunk UF WinEventlog Security Event data missing in Splunk Enterprise

Splunk UF WinEventlog Security Event data missing

rukshar — Thu, 20 Mar 2025 03:39:32 GMT

We are trying to configure event monitoring for Security Event ID 4624 (successful login) and Event ID 4625 (unsuccessful login) for an Account. We have created the app with the below stanza in inputs.conf file

[WinEventLog://Security]
index = wineventlog
sourcetype=Security:AD_Sec_entmon
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = EventCode="4624|4625"
#renderXml=false

However, there is no data though the app has been successfully deployed.

Please assist me on this issue.

Re: Splunk UF WinEventlog Security Event data missing

PickleRick — Thu, 20 Mar 2025 08:15:00 GMT

1. Why are you using custom sourcetype? There are already well-defined knowledge objects for the standard windows eventlog sourcetypes which come with TA_windows.

2. You can't define two separate instances of the same input (in your case - WinEventLog://Security). So check with btool what are the effective settings for your input after layering your own app and windows built-in stuff (and possibly TA_windows).

Re: Splunk UF WinEventlog Security Event data missing

livehybrid — Thu, 20 Mar 2025 08:45:12 GMT

Hi @rukshar

Do you have theSplunk_TA_windows installed as well?

If you not making the changes in Splunk_TA_windows/local and are using your own custom app with a default directory rather than local then you need to make sure the custom app has a higher order of precedence than the Splunk_TA_windows app. e.g 100_yourOrg_wininputs (Precendence goes 0-9A-Za-z)

For more info on precedence check out https://docs.splunk.com/Documentation/Splunk/latest/admin/Wheretofindtheconfigurationfiles

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Splunk UF WinEventlog Security Event data missing

splunkmarroko — Thu, 03 Apr 2025 16:23:17 GMT

hello @rukshar ,

the stanza looks good, make sure it is placed in the right location:
either: /opt/splunkforwarder/etc/system/local

or : /opt/splunkforwarder/etc/apps/<yourapp>/local
also double check you have an outputs.conf , also a quick restart won't hurt.

Re: Splunk UF WinEventlog Security Event data missing

marnall — Thu, 03 Apr 2025 17:38:24 GMT

In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel.

Search: (assuming that your forwarder IS sending internal logs, but not windows event logs)

index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"

Re: Splunk UF WinEventlog Security Event data missing

iamsahilshaiks — Fri, 04 Apr 2025 09:32:58 GMT

I think your whitelist setting should be correctly formatted; try using whitelist = 4624,4625 to ensure proper filtering and, confirm whether renderXml=false is appropriate, as XML-based logs may require renderXml=true for accurate extraction.

Next, check if Windows is generating these events by running this command in PowerShell.
Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4624 -or $_.Id -eq 4625 } | Select-Object -First 10

If no events appear, ensure that Windows auditing policies are correctly configured by navigating to gpedit.msc → Advanced Audit Policy Configuration → Audit Policies → Logon/Logoff → Audit Logon, and verifying that success and failure logging is enabled.

You can also confirm this by running auditpol /get /subcategory:"Logon" in PowerShell.

If you see errors like - It could indicate a misconfiguration in inputs.conf
ERROR ExecProcessor - message from "WinEventLog" The parameter is incorrect.

And, perform a Splunk search to confirm if any relevant events have been indexed by running :
index=* sourcetype=Security:AD_Sec_entmon EventCode=4624 OR EventCode=4625.

If no results appear, try searching with index=* EventCode=4624 OR EventCode=4625
OR check index metadata with | metadata type=sourcetypes index=wineventlog.

If data is still missing, it’s worth testing with the default Splunk sourcetype by modifying inputs.conf to use sourcetype=WinEventLog:Security instead.

[WinEventLog://Security]
index = wineventlog
sourcetype=WinEventLog:Security
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 300
whitelist = 4624,4625

After making any configuration changes, restart the Splunk Universal Forwarder using splunk restart or Restart-Service SplunkForwarder on Windows.

Re: Splunk UF WinEventlog Security Event data missing

PickleRick — Fri, 04 Apr 2025 08:10:46 GMT

Let me interject here, @iamsahilshaiks

For regex-based whitelisting it's not as simple as just puting the regex on its own. See https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf#Event_Log_allow_list_and_deny_list_formats - you have to

1. Provide a key which will be matched against the regex

2. Enclose the regex in delimiters of your choice.

So your example of whitelist = (?m)^4624$|^4625$ is completely wrong.

Additionally, if you're exporting events as XML (which is currently the preferred way because traditional format tends to have some problems with parsing), you use XmlRegex key for filtering.

splunk list monitor only list - as the name says - monitor type inputs which read files from the disk. Windows event log sources are not of monitor type.

Last time I checked, grep was neither a standard CMD-usable tool nor a standard powershell cmdlet. And Windows doesn't use the $ notation for environment variables.

As far as I remember, the events from Security log are not recast to another sourcetype. And actually your input stanza matches the "old way" of ingesting windows logs, which hasn't been used for several years now. Currently, the sourcetype for all windows logs should be WinEventlog or XmlWinEventlog depending on whether you're rendering them to XML or not. It's the source field which specifies the point of origin.