I am trying to look up data related to
EventCode="4662", but it does not show in Splunk.
I am using Universal Forwarders and nothing is being blacklisted within the inputs.conf for SplunkTAwindows.
Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)" blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)" index = wineventlog renderXml=false
I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.
Not sure how to troubleshoot that.
I am running a single Splunk server.
The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/)
GPO changes were done today and I can see these events on Windows Event Viewer on DC.
I'm running into the same issue. Even when I comment out the blacklisting altogether for EventCode 4662, Splunk is still not indexing any 4662 events (junk or not). I've confirmed that there are other events coming in from the Windows Security Log so I don't believe that permissions are an issue here.
I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.
That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.
No, the regular expression
Message="Object Type:\s+(?!groupPolicyContainer)" filters out the junk
I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer