topic How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case) in Getting Data In

How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

ricardo_911 — Fri, 15 Sep 2023 07:18:35 GMT

Hi,

I am trying to look up data related to EventCode="4662", but it does not show in Splunk.

Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.

so what i want to see is the event code 4662 that in it's message contain Object Type: user

Here i will provide the event viewer logs that i want splunk to show

An operation was performed on an object.

Subject :
  Security ID:       CIMBNIAGA\YT91504X
  Account Name:      YT91504X
  Account Domain:    CIMBNIAGA
  Logon ID:          0xC2D9E1AC

Object:
  Object Server: DS
  Object Type:   user
  Object Name:   CN=ADJOINADMIN,OU=Functional   ID,OU=Special_OU,DC=cimbniaga,DC=co,DC=id
  Handle ID:     0x0

Operation:
  Operation Type:  Object Access
  Accesses:        READ_CONTROL

  Access Mask:   0x20000
  Properties:    READ_CONTROL {bf967aba-0de6-11d0-a285-00aa003049e2}

Additional Information:
  Parameter 1:    -
  Parameter 2:

Please help me i really got stuck i already try to delete the blacklist filtering but it's still not give me the log that i want just like in the top @kheo_splunk

Re: How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

richgalloway — Fri, 15 Sep 2023 12:19:18 GMT

You won't find event 4662 because they're blacklisted. The blacklist prevents events with that code from being ingested and indexed, therefore, they cannot be searched.

Removing the blacklist will allow new 4662 events to be indexed, but will not do anything for the older events that happened while the blacklist was in effect.

Re: How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

ricardo_911 — Mon, 18 Sep 2023 02:43:34 GMT

Yes i already try to remove the blacklist even try the whitelist but the result is still same the event code 4662 not generated at all. When my team already remove the blacklist, we also try to enumerate the active directory to see if the event generate but when we check on splunk the event still not showing up. Is there other settings or maybe the regex is wrong??

Re: How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

richgalloway — Mon, 18 Sep 2023 12:14:50 GMT

When you removed the blacklist setting do you also restart the forwarder(s)?

Are there any transform or Ingest Actions in the data path that might also be discarding the events?

Re: How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

Boogyman — Fri, 18 Oct 2024 10:58:40 GMT

Did this get resolved ? We are also facing the same issue.