https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140720#M28835 <P>6.2.2 and 6.2.3 forwarder bundles the Windows TA. In %SplunkUniversalForwarder%/etc/apps/Splunk_TA_windows/default/inputs.conf there are the following stanzas</P> <P>[WinEventLog://Application]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> <STRONG>index = wineventlog</STRONG><BR /> renderXml=false</P> <P>[WinEventLog://Security]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> <STRONG>index = wineventlog</STRONG><BR /> renderXml=false</P> <P>[WinEventLog://System]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index = wineventlog<BR /> renderXml=false</P> <P>When you enable predefined eventlogs such as Security and System in the forwarder .msi installer, the stanzas in %SplunkUniversalForwarder/etc/apps/Splunk_TA_windows/local/inputs.conf looks like this</P> <P>[WinEventLog://Security]<BR /> disabled = 0</P> <P>[WinEventLog://System]<BR /> disabled = 0</P> <P>The Windows TA had not been installed on the Splunk Indexer/Searcher, therefore Splunk didn't know where to put the data. The Windows TA was then installed on the Splunk Indexer/Searcher and data began showing up in the wineventlog index. </P> <P>I have since edited these files to point to a user defined index. We are now happily Splunking Windows Security data again. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 28 Sep 2020 20:12:10 GMT AndreaEClark 2020-09-28T20:12:10Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140715#M28830 <P>My Help Desk relies upon using the Splunk server to assist with identifying the source machine or BYOD for account lockouts. Since we've rebuilt our servers on heartier platforms, (same names, same IP addresses, added resources to our DC VMs) none of my 2012 R2 machines are logging Windows Security Log events. </P> <P>Since the DCs have been upgraded to 2012 R2, none of them are logging security event logs. The servers logged security events into indexes I created when they were still at 2008 R2. As far as the VMs, we extended system partition and allocated more procs and ram. Hardware devices where demoted and new device promoted.</P> <P>My Domain Controller GPOs for Advanced Audit Configuration, hasn't changed since we upgraded the DCs from 2008 R2 to 2012 R2.</P> <P>Advanced Audit Configuration<BR /> Account Logon<BR /> Policy Setting<BR /> Audit Credential Validation Success, Failure<BR /> Audit Kerberos Authentication Service Success, Failure<BR /> Audit Kerberos Service Ticket Operations Success, Failure<BR /> Audit Other Account Logon Events Success, Failure<BR /> Account Management<BR /> Policy Setting<BR /> Audit Application Group Management Success, Failure<BR /> Audit Computer Account Management Success, Failure<BR /> Audit Distribution Group Management Success, Failure<BR /> Audit Other Account Management Events Success, Failure<BR /> Audit Security Group Management Success, Failure<BR /> Audit User Account Management Success, Failure<BR /> Detailed Tracking<BR /> Policy Setting<BR /> Audit Process Creation Success, Failure<BR /> Audit Process Termination Success, Failure<BR /> Audit RPC Events Success, Failure<BR /> DS Access<BR /> Policy Setting<BR /> Audit Directory Service Access Success, Failure<BR /> Audit Directory Service Changes Success, Failure<BR /> Logon/Logoff<BR /> Policy Setting<BR /> Audit Account Lockout Success, Failure<BR /> Audit Logoff Success, Failure<BR /> Audit Logon Success, Failure<BR /> Audit Other Logon/Logoff Events Success, Failure<BR /> Audit Special Logon Success, Failure<BR /> Object Access<BR /> Policy Setting<BR /> Audit Application Generated Success, Failure<BR /> Audit Certification Services Success, Failure<BR /> Audit File Share Success, Failure<BR /> Audit File System Success, Failure<BR /> Audit Kernel Object Success, Failure<BR /> Audit Registry Success, Failure<BR /> Policy Change<BR /> Policy Setting<BR /> Audit Audit Policy Change Success, Failure<BR /> Audit Authentication Policy Change Success, Failure<BR /> Audit Authorization Policy Change Success, Failure<BR /> Audit Other Policy Change Events Failure<BR /> Privilege Use<BR /> Policy Setting<BR /> Audit Sensitive Privilege Use Success, Failure<BR /> System<BR /> Policy Setting<BR /> Audit IPsec Driver Success, Failure<BR /> Audit Other System Events Failure<BR /> Audit Security State Change Success, Failure<BR /> Audit Security System Extension Success, Failure<BR /> Audit System Integrity Success, Failure</P> Wed, 03 Jun 2015 06:25:20 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140715#M28830 AndreaEClark 2015-06-03T06:25:20Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140716#M28831 <P>This looks like a forwarder bug on Windows OS 2012 R2. I am receiving Active Directory data from the forwarder. When I installed/reinstalled the client I selected Security log, System log and Active Directory data. </P> <P>Anyone else attempted to deploy at 6.2.x Universal Forwarder to Windows 2012 R2 Domain Controllers that are forwarding to a 6.2.2. Splunk Server and not getting security log data?</P> Wed, 03 Jun 2015 16:22:34 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140716#M28831 AndreaEClark 2015-06-03T16:22:34Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140717#M28832 <P>Further analysis has revealed that the security logs are actually being sent to the Splunk indexer, but it is not indexing the data as a source=WinEventlog:Security or sourcetype=WinEventlog:Security. The only data in indexer is indexing is source=ActiveDirectory or sourcetype=ActiveDirectory. </P> <P>I'll post more as we discover more. </P> Thu, 04 Jun 2015 21:44:30 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140717#M28832 AndreaEClark 2015-06-04T21:44:30Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140718#M28833 <P>Are you pulling the event log? By eventID? Can you post your query?</P> Thu, 04 Jun 2015 21:57:01 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140718#M28833 leochan 2015-06-04T21:57:01Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140719#M28834 <P>Using the following syntax. With or without quotes, the last indexed data was from 6/1 just prior to removing the last 2008 R2 domain controller from our environment.</P> <P>index=* sourcetype="WinEventLog:Security"</P> Fri, 05 Jun 2015 13:12:49 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140719#M28834 AndreaEClark 2015-06-05T13:12:49Z https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140720#M28835 <P>6.2.2 and 6.2.3 forwarder bundles the Windows TA. In %SplunkUniversalForwarder%/etc/apps/Splunk_TA_windows/default/inputs.conf there are the following stanzas</P> <P>[WinEventLog://Application]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> <STRONG>index = wineventlog</STRONG><BR /> renderXml=false</P> <P>[WinEventLog://Security]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> evt_resolve_ad_obj = 1<BR /> checkpointInterval = 5<BR /> blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"<BR /> <STRONG>index = wineventlog</STRONG><BR /> renderXml=false</P> <P>[WinEventLog://System]<BR /> disabled = 1<BR /> start_from = oldest<BR /> current_only = 0<BR /> checkpointInterval = 5<BR /> index = wineventlog<BR /> renderXml=false</P> <P>When you enable predefined eventlogs such as Security and System in the forwarder .msi installer, the stanzas in %SplunkUniversalForwarder/etc/apps/Splunk_TA_windows/local/inputs.conf looks like this</P> <P>[WinEventLog://Security]<BR /> disabled = 0</P> <P>[WinEventLog://System]<BR /> disabled = 0</P> <P>The Windows TA had not been installed on the Splunk Indexer/Searcher, therefore Splunk didn't know where to put the data. The Windows TA was then installed on the Splunk Indexer/Searcher and data began showing up in the wineventlog index. </P> <P>I have since edited these files to point to a user defined index. We are now happily Splunking Windows Security data again. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 28 Sep 2020 20:12:10 GMT https://community.splunk.com/t5/Getting-Data-In/Upgraded-Windows-Domain-Controllers-from-2008-R2-to-2012-R2-why/m-p/140720#M28835 AndreaEClark 2020-09-28T20:12:10Z