topic Re: Why are we receiving all Windows event log data except security logs from our domain controller? in Getting Data In

Why are we receiving all Windows event log data except security logs from our domain controller?

andybento — Mon, 28 Sep 2020 19:12:00 GMT

Hi,

Having issues in not seeing our security logs from our DC. Here is our code:

[WinEventLog://Security]
disabled = 0
start_from = oldset
current_only = 0
checkpointInterval = 5

This inputs file is located under here with all the other code:
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local

We are receiving Application, system, etc. but no security logs.

Also, we ran the following command splunk btool inputs list and see the following blacklist show up ..

blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"

but we still are not receiving any security logs for our DC, but are receiving everything else. Can anyone shed some light into this?

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

andybento — Fri, 20 Mar 2015 18:33:25 GMT

In addition, version is 6.2.2 and the DC is windows server 2008 R2 (and we are trying as well on Windows Server 2012 R2) but same results.

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

andybento — Fri, 20 Mar 2015 18:55:20 GMT

Also, just removed UAC from the server 2012 R2 and able to see more sourcetype (was at 3 and now 5) but still no security event logs.... only Application, System, Directory Service, DNS Server, DNS Replication

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

merter — Wed, 20 Jan 2016 18:27:31 GMT

We have this problem too. Member servers forward their Security log just fine. It does not work on Domain Controllers.,We have the same (or similar) problem. Member servers forward their Security Event Log events just fine. Domain Controllers do not.

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

mayfieldbk — Wed, 20 Jan 2016 18:52:57 GMT

Because we run Splunk on our DCs w/a service account to be able to collect other AD related data, we had to add permissions to allow access to the security logs (since we didn't make the service account a domain admin). Maybe this will help you:

For us, we used a policy assigned to our domain controllers: Group Policy - Computer Policy> Windows Settings> Security Settings> Local Policies > User Rights Assignment:

Setting: Manage auditing and security log

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

javiergn — Thu, 21 Jan 2016 14:13:54 GMT

Simply add your Splunk user to the local built-in "Event Log Readers" group in all your domain controllers and that will grant them access to the local event logs in those servers. You can populate this via GPO too.

Re: Why are we receiving all Windows event log data except security logs from our domain controller?

mbarbaro — Tue, 20 Jun 2017 07:18:28 GMT

Hello,

someone resolved this issue?

Thanks