All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to troubleshoot why EventCode 4662 data is not being indexed?

Path Finder

Hi,

I am trying to look up data related to EventCode="4662", but it does not show in Splunk.

I am using Universal Forwarders and nothing is being blacklisted within the inputs.conf for SplunkTAwindows.
Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.

Not sure how to troubleshoot that.

I am running a single Splunk server.

Splunk Employee
Splunk Employee

The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

0 Karma

Path Finder

Could you add some context, why are these specific events "4662" and "566" in your config? Do they definitely appear in your indexed data?

0 Karma

Path Finder

These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/)
GPO changes were done today and I can see these events on Windows Event Viewer on DC.

0 Karma

Explorer

I'm running into the same issue. Even when I comment out the blacklisting altogether for EventCode 4662, Splunk is still not indexing any 4662 events (junk or not). I've confirmed that there are other events coming in from the Windows Security Log so I don't believe that permissions are an issue here.

0 Karma

Explorer

I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.

That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.

0 Karma

SplunkTrust
SplunkTrust

Sorry but your config file shows 4662 as blacklist. Is it a typo?

Path Finder

No, the regular expression Message="Object Type:\s+(?!groupPolicyContainer)" filters out the junk
I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer

0 Karma