<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Inconsistent Windows Security Events in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760797#M120486</link>
    <description>&lt;P&gt;But that is not what I was talking about. What you're pasting is the messages Splunk service emits on stdout or stderr when you're starting it. I was talking about the messages which the forwarder writes to splunkd.log (and susbsequently picks up with monitor input and sends to the indexers). Those messages might contain a hint about why the event logs are not read.&lt;/P&gt;&lt;P&gt;As I wrote before, the probable cause is that the splunkd.exe process is not able to subscribe to the event log channel(s). It has nothing to do with the forwarder's config itself (the files in $SPLUNK_HOME\etc), but it depends on the user the splunkd.exe is run from.&lt;/P&gt;&lt;P&gt;It's an issue with the OS configuration regarding this user and is a fairly common thing - the user which the Splunk Universal Forwarder service is running as must have appropriate permissions &lt;EM&gt;granted on the operating system level&lt;/EM&gt;&amp;nbsp;(either manually or via GPO) to be able to access some of the event log channels.&lt;/P&gt;</description>
    <pubDate>Fri, 08 May 2026 11:47:40 GMT</pubDate>
    <dc:creator>PickleRick</dc:creator>
    <dc:date>2026-05-08T11:47:40Z</dc:date>
    <item>
      <title>Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760701#M120473</link>
      <description>&lt;DIV&gt;&lt;P&gt;I am observing inconsistent forwarding of Windows Security Event ID 4624 (Successful Logon) from multiple Windows hosts running Splunk Universal Forwarder, despite the hosts having identical configurations.&lt;/P&gt;&lt;P&gt;Some devices forward Event ID 4624 reliably, while others do not forward 4624 at all. This inconsistency persists even though configuration, versions, and OS‑level settings are the same.&lt;/P&gt;&lt;/DIV&gt;</description>
      <pubDate>Tue, 05 May 2026 14:06:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760701#M120473</guid>
      <dc:creator>gitau_gm</dc:creator>
      <dc:date>2026-05-05T14:06:18Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760703#M120474</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310724"&gt;@gitau_gm&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;For the instance not sending&amp;nbsp;&lt;SPAN&gt;Windows Security Event ID 4624, does it sometimes send but not others?&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;Are you able to confirm that both instances are running Splunk as the same user with the same permissions? Are you able to see&amp;nbsp;&lt;SPAN&gt;Windows Security Event ID 4624 when checking directly on the instance which is not sending these events?&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;How are you managing these instances? Is the content pushed out via a Deployment Server?&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 15:03:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760703#M120474</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2026-05-05T15:03:57Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760704#M120475</link>
      <description>&lt;P class="lia-align-justify"&gt;Hey&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp;we are migrated to splunk cloud a couple of months ago so we have ufs sending directly to the cloud. All configs are the same, and yes, I do see security events from the endpoints directly for both instances. We have a DS pushing content.&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 15:13:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760704#M120475</guid>
      <dc:creator>gitau_gm</dc:creator>
      <dc:date>2026-05-05T15:13:25Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760707#M120476</link>
      <description>&lt;P&gt;The usual debugging steps/questions (adding to what&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp;already asked)&lt;/P&gt;&lt;P&gt;1. Are 4624 the only events which are not forwarder?&lt;/P&gt;&lt;P&gt;2. Are they not forwarded at all from selected clients or just some of them?&lt;/P&gt;&lt;P&gt;3. Does the splunkd.log show anything interesting for those clients?&lt;/P&gt;&lt;P&gt;4. Are you absolutely sure you have the same effective configuration? (I'm not talking only about what you're pushing but about the effective config merged from all apps, system/local and so on).&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 16:19:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760707#M120476</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2026-05-05T16:19:03Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760709#M120477</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/170906"&gt;@livehybrid&lt;/a&gt;&amp;nbsp; The 4624s are the ones that made me realize there was an issue&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;These are the events being forwarded by the "good" devices (forwarding 4624s)&amp;nbsp;&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;Authentication / Logon Activity&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;User Rights &amp;amp; Privileges&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;Service Control Manager&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;System &amp;amp; Service Lifecycle&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;Credential Validation (Kerberos/NTLM)&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;IPsec / Network Security&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;These are the only events being forwarded by the "other" devices&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;Service Control Manager&lt;/TD&gt;&lt;TD&gt;&amp;nbsp;&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;System &amp;amp; Service Lifecycle&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 16:25:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760709#M120477</guid>
      <dc:creator>gitau_gm</dc:creator>
      <dc:date>2026-05-05T16:25:03Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760710#M120478</link>
      <description>&lt;P&gt;If your whole logs are not being forwarded, not just selected events, it suggests some permission issue. Probably either the user your forwarder runs under is not a member of the right group or you have some different policy applied on those UFs which doesn't grant sufficient rights to event logs. (or someone edited ACLs on logs only on some endpoints). That's something I would be troubleshooting with my local windows/AD guru.&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 16:27:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760710#M120478</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2026-05-05T16:27:34Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760715#M120479</link>
      <description>&lt;P&gt;Some devices are forwarding all windows events and some are not. Checked confs and they are identical in both instances.&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 18:58:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760715#M120479</guid>
      <dc:creator>gitau_gm</dc:creator>
      <dc:date>2026-05-05T18:58:20Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760716#M120480</link>
      <description>&lt;P&gt;As I said - it's not about the difference in UF's configuration. It's probably at the OS-level. The user under which the UF's splunkd.exe process is being run does not have the right to read the event logs. After you restart the UF you should get messages (I don't remember if those are warnings or errors) about the input not being able to subscribe to specific event logs.&lt;/P&gt;</description>
      <pubDate>Tue, 05 May 2026 20:45:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760716#M120480</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2026-05-05T20:45:56Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760780#M120485</link>
      <description>&lt;P&gt;Hey PickeRick&lt;BR /&gt;&lt;BR /&gt;In both instances, the messages are consistent&lt;BR /&gt;&lt;BR /&gt;&lt;SPAN&gt;Checking conf files for problems... Done Checking default conf files for edits... Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-10.2.2--windows-x64-manifest' All installed files intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... SplunkForwarder: Starting (pid 32356) Done &lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 07 May 2026 18:59:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760780#M120485</guid>
      <dc:creator>gitau_gm</dc:creator>
      <dc:date>2026-05-07T18:59:18Z</dc:date>
    </item>
    <item>
      <title>Re: Inconsistent Windows Security Events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760797#M120486</link>
      <description>&lt;P&gt;But that is not what I was talking about. What you're pasting is the messages Splunk service emits on stdout or stderr when you're starting it. I was talking about the messages which the forwarder writes to splunkd.log (and susbsequently picks up with monitor input and sends to the indexers). Those messages might contain a hint about why the event logs are not read.&lt;/P&gt;&lt;P&gt;As I wrote before, the probable cause is that the splunkd.exe process is not able to subscribe to the event log channel(s). It has nothing to do with the forwarder's config itself (the files in $SPLUNK_HOME\etc), but it depends on the user the splunkd.exe is run from.&lt;/P&gt;&lt;P&gt;It's an issue with the OS configuration regarding this user and is a fairly common thing - the user which the Splunk Universal Forwarder service is running as must have appropriate permissions &lt;EM&gt;granted on the operating system level&lt;/EM&gt;&amp;nbsp;(either manually or via GPO) to be able to access some of the event log channels.&lt;/P&gt;</description>
      <pubDate>Fri, 08 May 2026 11:47:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Inconsistent-Windows-Security-Events/m-p/760797#M120486</guid>
      <dc:creator>PickleRick</dc:creator>
      <dc:date>2026-05-08T11:47:40Z</dc:date>
    </item>
  </channel>
</rss>

