All Apps and Add-ons

Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data?

Path Finder

I found that the "Failed Logons by IP Address" chart in Splunk App for Windows Infrastructure never shows any data. Though "Failed Logons over Time" chart can show there are failed logins.

I tried to drill down a bit more and found essentially because wineventlog did come with "SourceNetworkAddress" or "ClientAddress" SplunkTA_windows expected.

[Source_Network_Address_as_src_ip]
SOURCE_KEY = Source_Network_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

[Client_Address_as_src_ip]
SOURCE_KEY = Client_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

However, I saw another field "srcnthost" which can show the IPs that I want. I'm thinking to either alias srcnthost or replace the default transformation above as the same as "srcnthost". What's the initial idea of this transformation? Is it because of handling for different windows version? My case is windows server 2012(AD)

[Workstation_Name_as_src_nt_host]
SOURCE_KEY = Workstation_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Machine_Name_as_src_nt_host]
SOURCE_KEY = Caller_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Client_Machine_Name_as_src_nt_host]
SOURCE_KEY = Client_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Computer_Name_as_src_nt_host]
SOURCE_KEY = Caller_Computer_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Source_Workstation_as_src_nt_host]
SOURCE_KEY = Source_Workstation
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

Splunk Employee
Splunk Employee

The search that builds the lookup table tHostInfo was disabled in my environment. Enable the scheduled search tHostInfoLookupUpdate and your dashboard should populate.

0 Karma

New Member

My schedule search is enabled, but still doesn't work.
I also remove fix-localhost, because otherwise it doesn't work for me

0 Karma

Path Finder

It might be a failure on the macro. I just realized I have this issue, so we'll troubleshoot together!

TL;DR, fields are wrong, and lookup mentioned in macro ip-to-host does not exist, update macro for fix-localhost, fix the query (shown below), and remove |ip-to-host from query. That should fix it. Oh and don't forget to change the panels query as well after testing.

Failed Logons Over Time query=

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|timechart count by signature

Failed Logons by IP query =

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by src_nt_host,src_ip
|sort -count
|rename src_nt_host as "Workstation",src_ip as "IP Address"

Note the two macros in your failed logon by IP query:

  1. ip-to-host
  2. fix-localhost

Now the searches for each macro:

ip-to-host = join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

fix-localhost = 'eval srchost=if(srcip=="127.0.0.1" OR srcip=="-",upper(host),srchost)|eval srchost=srcntdomain."\".srchost '

Now I'm going to say, I see a problem here: index=wineventlog does not have src_ip field; eventtype=msad* uses index=wineventlog.
BUT! There is a field IpAddress that contains IP addresses, and host that contains hostnames where the field src_host does not exist.

So lets tweak these macros:
ip-to-host = join src [|inputlookup tHostInfo | table src,Caller_Domain]
fix-localhost = eval host=if(IpAddress=="127.0.0.1" OR IpAddress=="-",upper(host),host)|eval host= Caller_Domain."\\".host

Still not getting anything, so I search

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

Note, I've changed the query to represent fields that exist in index=wineventlog.

Still not getting anything! But wait, a lookup is mentioned in the macro ip-to-host, lets see how that is configured!

There is no lookup tHostInfo, so lets remove ip-to-host from the query.

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

YES!!!!!! IT WORKS!

Results:

Workstation IP Address count

DOMAIN<Hostname> 127.0.0.1 2

DOMAIN<Hostname> 10.###.##.### 1

DOMAIN<hostname> 127.0.0.1 1

So change the fields in the macro fix-localhost, as noted in "lets tweak these macros" then remove ip-to-host from the query, while updating the query the panel uses to search.

Path Finder

More thought...
My raw XML event is like this. I believe src_ip can be extracted from IpAddress

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2016-11-23T09:46:24.500210800Z'/><EventRecordID>373002</EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='3996'/><Channel>Security</Channel><Computer>spunk_forward.splunk0.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>vic.chen</Data><Data Name='TargetDomainName'>TC-NB553</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TC-NB553</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>192.168.3.32</Data><Data Name='IpPort'>55425</Data></EventData></Event>

This is what I'm going to add.

props.conf
[source::*:Security]
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip,IpAddress_as_src_ip

transforms.conf
[IpAddress_as_src_ip]
SOURCE_KEY = IpAddress
REGEX = (.+)
FORMAT = src_ip::$1
0 Karma

SplunkTrust
SplunkTrust

As you know, srcip has the IP address and srcnthost captures the host name. In your case, if your srcip doesn't have the value (i.e. IP address) you need, and if that's present in srcnthost, you can alias it and it should work.

Alternatively, if you go down the approach of props/transforms (as above), as soon as the first srcip is obtained, the transform will return. So, if SourceNetworkAddressassrcip returns a value of srcip, your IpAddressassrcip may not run or overwrite it. Please check/test it once.

0 Karma

Path Finder

The Failed Logons by IP Address works for us and we are using the Splunk App for Windows Infrastructure V1.4.0, Splunk Enterprise V6.5.1, and SplunkTAwindows V4.8.3.

The only issue we did notice in general with the application was that under Windows Performance Monitoring the Perfmon Hosts Multiselect was not defined correctly so we fixed it (Token Prefix, Token Suffix, and Token Value Prefix were empty) since we are now able to edit the dashboard with 1.4.0.

Hope that helps.

0 Karma

SplunkTrust
SplunkTrust

I don't have the Windows Infra app installed any more, and though I don't know why this isn't working off hand, you are probably heading down the right road for correcting it.

If you need a field called src_ip and you can extract it easily enough, I'd do that. In this case an alias may work just fine since you have it available already. Either method will likely work fine.

So, IMO make the field as you seemed to be doing and do some testing to see if your results make sense.

0 Karma