All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I've installed the Splunk Add-on for Microsoft Windows, but why am I unable to see WinEventLog:Security events?

splunksurekha
Path Finder
‎11-24-2015 07:35 AM

I have installed the Splunk Add-on for Microsoft Windows and have below settings in inputs.conf, but I'm still unable to see the security logs. I checked on the Windows and Active Directory servers and the evtx logs exist. 

[WinEventLog://Security]
disabled = 0
whitelist = 4625,4624,4634,4767
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
suppress_text = 1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-30-2015 05:24 AM

Couple of questions:

  • Which version of Splunk are you running?
  • Are you reading those events locally or remotely?
  • Is your service account local administrator or have you granted it at least permissions to read Security event logs? There's an Event Log Reader group should you want to use Domain account instead of local SYSTEM. This could be populated via GPOs if you don't want to implement this manually everywhere.

View solution in original post

Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎11-30-2015 05:24 AM

Couple of questions:

  • Which version of Splunk are you running?
  • Are you reading those events locally or remotely?
  • Is your service account local administrator or have you granted it at least permissions to read Security event logs? There's an Event Log Reader group should you want to use Domain account instead of local SYSTEM. This could be populated via GPOs if you don't want to implement this manually everywhere.
Reply
Solved! Jump to solution

cnjokinee
Engager
‎11-30-2015 05:46 AM
  • Splunk 6.3
  • Winserver sends them to indexer
  • Local service account (Local System) is running the Forwarder. I created new "service account" ("splunkforwarder") and gave it enough rights to run the Forwarder. There are still Application and System logs coming in but no Security logs.
0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎11-30-2015 06:07 AM

Hi, i don't get your last point.
There should only be one service on your server that is running your Splunk Universal Forwarder instance, is this running as LOCAL SYSTEM or as "splunkforwarder" user?

If the latter, could you try to give the user temporary local admin rights and then restart your Splunk service.

By default System and Application logs are less restrictive on Windows machines and local users should be able to read those even if they are not local administrators. Security logs tend to require extra rights.

0 Karma
Reply
Solved! Jump to solution

cnjokinee
Engager
‎11-30-2015 10:40 PM

Hi!

It was running as "Local System". I created "splunkforwarder" with local admins and log rights. At first I didn't get anything special so I made some Group Policy checks and left for home. During the night logs have started to come to indexer. Might've been a policy issue...?

Thanks for your help! 😃

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎12-01-2015 01:45 AM

I'm glad it works now.
By the way, could you accept one of the answers in order to fully close this question?

0 Karma
Reply
Solved! Jump to solution

mikelanghorst
Motivator
‎11-24-2015 04:13 PM

I'd ask the easy question first. Are you searching in index=wineventlog? Or have your role to search all internal indexes?

This response likely doesn't rate as an answer yet.

0 Karma
Reply
Solved! Jump to solution

cnjokinee
Engager
‎11-30-2015 05:15 AM

Hi!

Having same problem. WinEventLog://System is working on from the same inputs.conf file and I have winevetlog index available.

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...