topic Re: Splunk Enterprise Security and Splunk Add-On for Windows in Splunk Enterprise Security

Splunk Enterprise Security and Splunk Add-On for Windows

jeburkes76 — Mon, 10 Dec 2018 20:16:15 GMT

As best as I can tell there is a bug between the Splunk Enterprise Security App and Splunk Add-On for Windows. The Splunk Enterprise Security App Windows Event Log Cleared looks for sourcetype=wineventlog:security. However the Splunk Add-On for Windows props file that renames wineventlog:security back to wineventlog causing the Windows Event Log Cleared to never fire.

Additionally, the transform regex may be wrong, not sure, could not get it to fire as written so I created a custom transform, (?m)^LogName=(\S+).

Re: Splunk Enterprise Security and Splunk Add-On for Windows

adonio — Tue, 11 Dec 2018 01:42:42 GMT

is there a question here?
what is the version of the windows TA you are using?
iirc, the 5.0 version has those bugs and it says somewhere in the docs to go back to 4.8.4

Re: Splunk Enterprise Security and Splunk Add-On for Windows

jeburkes76 — Fri, 14 Dec 2018 12:38:34 GMT

I guess sort of a question, I am new to transforms and props configuration files so it was a sanity check. Maybe my team and I made a mistake and installed a later version of the Add-On for Microsoft version 5.0.1 but we believe it came with ES 5.20 when we installed hence our confusion and concern if it is a known issue. This is a test environment so maybe we missed something. Thanks for the info.