All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to find the cause of missing Windows Security Event Log entries?


I have searched the Answers site and cannot find an answer to why I get log off events, but intermittently am missing log on events in Splunk.

This is a big problem for us and I have opened a ticket with Splunk Support but that also went nowhere and am hoping someone has had this issue and found a cause/fix.

We on occasion see log off events, but cannot find the log on event anywhere. We do have a product called Adiscon that also grabs event log entries and it always has both events. We are using the Splunk_TA_Windows add-on with the following settings:

disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = 560,562,565-567,4656-4658,4661-4663,4928-4934
index = wineventlog

Hoping someone can help.

0 Karma

Path Finder

Have you found some solution? We got the same problem.
Thank you

0 Karma


Stanza looks ok to me. As part of troubleshooting I would simplify by removing blacklist entries to see if that changes the outcome in any way with regard to the missing events.

Is the stanza you are showing the output of btool query? If not, I'd recommend running splunk.exe cmd btool inputs list WinEventLog://Security to ensure that you do not have any other conflicting inputs defined on your forwarder. If the outputs are not what you expect, add the "--debug" flag to the end of the query to show the input files corresponding to each specification associated with the stanza.

If you are getting some security events but not all security events and you are not blacklisting them on the universal forwarder, take a look at your props/transforms.conf on receivers/indexers to ensure you are not null-routing or rewriting events along the path.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!