All Apps and Add-ons

Splunk Add-on for Microsoft Windows: How to troubleshoot why EventCode 4662 data is not being indexed?

ttchorz
Path Finder

Hi,

I am trying to look up data related to EventCode="4662", but it does not show in Splunk.

I am using Universal Forwarders and nothing is being blacklisted within the inputs.conf for Splunk_TA_windows.
Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.

Not sure how to troubleshoot that.

I am running a single Splunk server.

kheo_splunk
Splunk Employee
Splunk Employee

The current issue has been fixed in Windows TA 4.8.4 onwards, so please download the latest version Windows TA and test or try using the following Regex.
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"

0 Karma

jpanderson
Path Finder

Could you add some context, why are these specific events "4662" and "566" in your config? Do they definitely appear in your indexed data?

0 Karma

ttchorz
Path Finder

These is a default config. It is supposed to filter out events 4662 that contain junk and only leave events 4662 which contain GPO changes ( see for details http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/)
GPO changes were done today and I can see these events on Windows Event Viewer on DC.

0 Karma

pkiripolsky
Path Finder

I'm running into the same issue. Even when I comment out the blacklisting altogether for EventCode 4662, Splunk is still not indexing any 4662 events (junk or not). I've confirmed that there are other events coming in from the Windows Security Log so I don't believe that permissions are an issue here.

0 Karma

edekker
Explorer

I know this is stating the obvious, but have you confirmed that 4662 is coming into the event logs? I know that when we removed the blacklist entirely as a means of troubleshooting, we found that 4662 was not being logged.

That said, I am still having issues myself with the blacklisting portion, but I do know that events not being actually logged was one of our issues, and now events are coming in if I remove the blacklist entirely. If anyone has any ideas outside of copying/pasting, typing things manually, using btool, reinstalling add-ons and clients, or standing on your head and spinning around three times by moonlight, I'd be happy to hear.

0 Karma

renjith_nair
Legend

Sorry but your config file shows 4662 as blacklist. Is it a typo?

---
What goes around comes around. If it helps, hit it with Karma 🙂

ttchorz
Path Finder

No, the regular expression Message="Object Type:\s+(?!groupPolicyContainer)" filters out the junk
I am just looking to see Group Policy Changes which I know took place earlier today in the morning and I can see that events within Windows Event Viewer

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...