- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- SPLUNK app for Windows not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently having issues with getting my SPLUNK for Windows app to work properly. I have deployed my SPLUNK forwarder to roughly 300 windows boxes but only show a counter performance counter of 2. The Hosts field in Windows shows all 300 servers that I have but the performance does not.
I am trying to search for a specific Windows username that is failing in the Windows Security log but cannot perform this search. If anyone knows an easier way to find the Windows user and events it is tied to I would appreciate it. Also, if there is something wrong with my Windows app please let me know any potential fixes. I am only monitoring the Security eventlog on my Windows boxes. Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EventCode 4648 is a success only event, so it will not show failures.
This search for EventCode 4625 will show the stats for the host name where the failure occurred, the username that failed, and the failure reason:
index=main sourcetype="*wineventlog:security" EventCode=4625 | eval Account_Name=mvindex(Account_Name,1) | stats count by Workstation_Name,Account_Name,Failure_Reason
The Account_Name,1 eval statment is used to get the second occurance of Account_Name in the event, because this is generally the name of interest. If you want the first occurrance in the event, then change the 1 to a 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
EventCode 4648 is a success only event, so it will not show failures.
This search for EventCode 4625 will show the stats for the host name where the failure occurred, the username that failed, and the failure reason:
index=main sourcetype="*wineventlog:security" EventCode=4625 | eval Account_Name=mvindex(Account_Name,1) | stats count by Workstation_Name,Account_Name,Failure_Reason
The Account_Name,1 eval statment is used to get the second occurance of Account_Name in the event, because this is generally the name of interest. If you want the first occurrance in the event, then change the 1 to a 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Event ID 4625 and 4648 is what I am looking for with a specified username.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What EventCode is associated with the failure?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I am not collecting data from WMI but I can start. Would you be able to answer the search as a temporary fix in finding all events correlated to a Windows Username?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Windows app requires that performace data be collected via WMI. Are you Windows forwarders collecting WMI performace data? You can also configure the Splunk Indexer to collect WMI data from the remote servers, but the service will need to be running as a Windows Domain user.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
