All Apps and Add-ons

List of Event IDs required by the AD app?

Wallen
Explorer

Is there a way to get a list of event ID's that the Splunk App for Microsoft Windows Active Directory needs?

We use advanced audit policies, and we currently forward very little into Splunk, using 6.x's whitelisting for event IDs. We definitely don't have enough license to dump nearly the whole security event logs from multiple domain controllers, as the readme in the app wants one to configure.

0 Karma
1 Solution

somesoni2
Revered Legend

Total 588 event codes present in the lookup file EventCodes.csv in the app but following 147 are used in dashboards/searchs/event-types

EventCode#512
EventCode#513
EventCode#516
EventCode#517
EventCode#528
EventCode#529
EventCode#530
EventCode#531
EventCode#532
EventCode#533
EventCode#534
EventCode#535
EventCode#536
EventCode#537
EventCode#539
EventCode#540
EventCode#566
EventCode#624
EventCode#625
EventCode#626
EventCode#627
EventCode#628
EventCode#629
EventCode#630
EventCode#631
EventCode#632
EventCode#633
EventCode#634
EventCode#635
EventCode#636
EventCode#637
EventCode#638
EventCode#639
EventCode#641
EventCode#642
EventCode#644
EventCode#645
EventCode#646
EventCode#647
EventCode#648
EventCode#649
EventCode#650
EventCode#651
EventCode#652
EventCode#653
EventCode#654
EventCode#655
EventCode#656
EventCode#657
EventCode#658
EventCode#659
EventCode#660
EventCode#661
EventCode#662
EventCode#663
EventCode#664
EventCode#665
EventCode#666
EventCode#667
EventCode#668
EventCode#671
EventCode#672
EventCode#675
EventCode#685
EventCode#807
EventCode#1014
EventCode#1083
EventCode#1084
EventCode#1100
EventCode#1101
EventCode#1102
EventCode#1104
EventCode#1203
EventCode#1307
EventCode#1308
EventCode#1311
EventCode#1458
EventCode#1566
EventCode#1621
EventCode#1699
EventCode#1800
EventCode#1801
EventCode#1865
EventCode#1925
EventCode#1926
EventCode#1988
EventCode#2087
EventCode#2088
EventCode#4608
EventCode#4609
EventCode#4612
EventCode#4621
EventCode#4624
EventCode#4625
EventCode#4662
EventCode#4720
EventCode#4722
EventCode#4723
EventCode#4724
EventCode#4725
EventCode#4726
EventCode#4727
EventCode#4728
EventCode#4729
EventCode#4730
EventCode#4731
EventCode#4732
EventCode#4733
EventCode#4734
EventCode#4735
EventCode#4736
EventCode#4737
EventCode#4738
EventCode#4740
EventCode#4741
EventCode#4742
EventCode#4743
EventCode#4744
EventCode#4745
EventCode#4746
EventCode#4747
EventCode#4748
EventCode#4749
EventCode#4750
EventCode#4751
EventCode#4752
EventCode#4753
EventCode#4754
EventCode#4755
EventCode#4756
EventCode#4757
EventCode#4758
EventCode#4759
EventCode#4760
EventCode#4761
EventCode#4762
EventCode#4763
EventCode#4764
EventCode#4767
EventCode#4768
EventCode#4771
EventCode#4781
EventCode#4912

View solution in original post

somesoni2
Revered Legend

Total 588 event codes present in the lookup file EventCodes.csv in the app but following 147 are used in dashboards/searchs/event-types

EventCode#512
EventCode#513
EventCode#516
EventCode#517
EventCode#528
EventCode#529
EventCode#530
EventCode#531
EventCode#532
EventCode#533
EventCode#534
EventCode#535
EventCode#536
EventCode#537
EventCode#539
EventCode#540
EventCode#566
EventCode#624
EventCode#625
EventCode#626
EventCode#627
EventCode#628
EventCode#629
EventCode#630
EventCode#631
EventCode#632
EventCode#633
EventCode#634
EventCode#635
EventCode#636
EventCode#637
EventCode#638
EventCode#639
EventCode#641
EventCode#642
EventCode#644
EventCode#645
EventCode#646
EventCode#647
EventCode#648
EventCode#649
EventCode#650
EventCode#651
EventCode#652
EventCode#653
EventCode#654
EventCode#655
EventCode#656
EventCode#657
EventCode#658
EventCode#659
EventCode#660
EventCode#661
EventCode#662
EventCode#663
EventCode#664
EventCode#665
EventCode#666
EventCode#667
EventCode#668
EventCode#671
EventCode#672
EventCode#675
EventCode#685
EventCode#807
EventCode#1014
EventCode#1083
EventCode#1084
EventCode#1100
EventCode#1101
EventCode#1102
EventCode#1104
EventCode#1203
EventCode#1307
EventCode#1308
EventCode#1311
EventCode#1458
EventCode#1566
EventCode#1621
EventCode#1699
EventCode#1800
EventCode#1801
EventCode#1865
EventCode#1925
EventCode#1926
EventCode#1988
EventCode#2087
EventCode#2088
EventCode#4608
EventCode#4609
EventCode#4612
EventCode#4621
EventCode#4624
EventCode#4625
EventCode#4662
EventCode#4720
EventCode#4722
EventCode#4723
EventCode#4724
EventCode#4725
EventCode#4726
EventCode#4727
EventCode#4728
EventCode#4729
EventCode#4730
EventCode#4731
EventCode#4732
EventCode#4733
EventCode#4734
EventCode#4735
EventCode#4736
EventCode#4737
EventCode#4738
EventCode#4740
EventCode#4741
EventCode#4742
EventCode#4743
EventCode#4744
EventCode#4745
EventCode#4746
EventCode#4747
EventCode#4748
EventCode#4749
EventCode#4750
EventCode#4751
EventCode#4752
EventCode#4753
EventCode#4754
EventCode#4755
EventCode#4756
EventCode#4757
EventCode#4758
EventCode#4759
EventCode#4760
EventCode#4761
EventCode#4762
EventCode#4763
EventCode#4764
EventCode#4767
EventCode#4768
EventCode#4771
EventCode#4781
EventCode#4912

Wallen
Explorer

Thanks!
I only needed the 4 digit codes, since we don't have any servers older than 2008 R2.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...