- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 5.x App for Microsoft Windows: What is this "app=win:unknown" being captured in 63% of Windows security logs in Splunk?
Hi Splunkers
I am getting this value of field app=win:unknown being captured in 63% of Windows security logs in Splunk. What does it mean?
Other values for app fields are :
win:remote
win:local
Thanks,
Mohammed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way you could paste in one of those events here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how we got it working thanks to help from PS:
In the Splunk_TA_Windows\lookups\windows_apps.csv, you'll have to manually add any Windows event codes and what type of app you want it to show up as. Here's a small snippet from our's:
4674,,,,,win:security
4957,,,,,win:firewall
4768,,,,,win:kerberos
4958,,,,,win:useless
4793,,,,,win:security
4611,,,,,win:auth
4702,,,,,win:schedule
4932,,,,,win:adsync
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe the windows_apps.csv changes would be overwritten when you update the Splunk_TA_Windows.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mwarvi,
Can you please share your csv with me? I stumbled upon the same issue. Thank you so much.
Best regards,
Tomas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi I am also having this same issue.
Would it be possible to get a complete listing for this csv file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's another snippet with the headers in it, The app is just plain test that we decided on here so you can call it whatever you want. The file should already be there as I believe the app iitself uses it.
It's a very manual process where you just have to go through each event code you want and make up an app for it.
EventCode,Source_Network_Address,Target_Server_Name,Logon_Type,sourcetype,app
552,,,,,win:remote
4648,,,,,win:remote
4663,,,,,win:fileaccess
5157,,,,,win:firewall
5145,,,,,win:fileaccess
4656,,,,,win:fileaccess
5158,,,,,win:firewall
4690,,,,,win:fileaccess
4776,,,,,win:auth
4672,,,,,win:auth
5152,,,,,win:firewall
5156,,,,,win:firewall
5447,,,,,win:firewall
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is here any solution for decribed problem?
We had the same and + action=unknown, user=unknown.
Tried to solve problem by adding field aliases, but didn't found filed aliases for action and "win:unknown".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Manual intervention. Need lookup the Event ID's that are showing as win:uknown and correlate them with their respective category. Once you look up the Event ID/Category you add them manually to windows_apps.csv.
