All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Windows Infrastructure: Why does Failed Logons by IP Address chart never populate data?

hochit
Path Finder
‎11-24-2016 07:32 PM

I found that the "Failed Logons by IP Address" chart in Splunk App for Windows Infrastructure never shows any data. Though "Failed Logons over Time" chart can show there are failed logins.

I tried to drill down a bit more and found essentially because wineventlog did come with "Source_Network_Address" or "Client_Address" Splunk_TA_windows expected.

[Source_Network_Address_as_src_ip]
SOURCE_KEY = Source_Network_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

[Client_Address_as_src_ip]
SOURCE_KEY = Client_Address
REGEX = ([\\]+)?([^-].*)
FORMAT = src_ip::"$2"

However, I saw another field "src_nt_host" which can show the IPs that I want. I'm thinking to either alias src_nt_host or replace the default transformation above as the same as "src_nt_host". What's the initial idea of this transformation? Is it because of handling for different windows version? My case is windows server 2012(AD) 

[Workstation_Name_as_src_nt_host]
SOURCE_KEY = Workstation_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Machine_Name_as_src_nt_host]
SOURCE_KEY = Caller_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Client_Machine_Name_as_src_nt_host]
SOURCE_KEY = Client_Machine_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Caller_Computer_Name_as_src_nt_host]
SOURCE_KEY = Caller_Computer_Name
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"

[Source_Workstation_as_src_nt_host]
SOURCE_KEY = Source_Workstation
REGEX = ([\\]+)?([^-].*)
FORMAT = src_nt_host::"$2"
Reply

cmccririe
Splunk Employee
Splunk Employee
‎02-12-2017 04:10 PM

The search that builds the lookup table tHostInfo was disabled in my environment. Enable the scheduled search tHostInfo_Lookup_Update and your dashboard should populate.

0 Karma
Reply

papaleo
New Member
‎12-28-2018 06:07 AM

My schedule search is enabled, but still doesn't work.
I also remove fix-localhost, because otherwise it doesn't work for me

0 Karma
Reply

EdgarAllenProse
Path Finder
‎02-09-2017 03:27 PM

It might be a failure on the macro. I just realized I have this issue, so we'll troubleshoot together!

TL;DR, fields are wrong, and lookup mentioned in macro ip-to-host does not exist, update macro for fix-localhost, fix the query (shown below), and remove |ip-to-host from query. That should fix it. Oh and don't forget to change the panels query as well after testing.

Failed Logons Over Time query= 

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|timechart count by signature

Failed Logons by IP query = 

eventtype=msad-failed-user-logons (host="*")
|fields _time,signature,src_ip,src_host,src_nt_host,src_nt_domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by src_nt_host,src_ip
|sort -count
|rename src_nt_host as "Workstation",src_ip as "IP Address"

Note the two macros in your failed logon by IP query:

  1. ip-to-host
  2. fix-localhost

Now the searches for each macro:

ip-to-host = join src_ip [|inputlookup tHostInfo | table src_ip,src_host,src_nt_domain]

fix-localhost = 'eval src_host=if(src_ip=="127.0.0.1" OR src_ip=="-",upper(host),src_host)|eval src_host=src_nt_domain."\".src_host '

Now I'm going to say, I see a problem here: index=wineventlog does not have src_ip field; eventtype=msad* uses index=wineventlog.
BUT! There is a field IpAddress that contains IP addresses, and host that contains hostnames where the field src_host does not exist.

So lets tweak these macros:
ip-to-host = join src [|inputlookup tHostInfo | table src,Caller_Domain]
fix-localhost = eval host=if(IpAddress=="127.0.0.1" OR IpAddress=="-",upper(host),host)|eval host= Caller_Domain."\\".host

Still not getting anything, so I search 

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`ip-to-host`
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

Note, I've changed the query to represent fields that exist in index=wineventlog.

Still not getting anything! But wait, a lookup is mentioned in the macro ip-to-host, lets see how that is configured!

There is no lookup tHostInfo, so lets remove ip-to-host from the query.

|eventtype=msad-failed-user-logons (host="*") 
|fields _time,signature,src,host,Caller_Domain,user,Logon_Type 
|`fix-localhost`
|stats count by host,src
|sort -count
|rename src_nt_host as "Workstation",src as "IP Address"

YES!!!!!! IT WORKS!

Results:

Workstation IP Address count

DOMAIN<Hostname> 127.0.0.1 2

DOMAIN<Hostname> 10.###.##.### 1

DOMAIN<hostname> 127.0.0.1 1

So change the fields in the macro fix-localhost, as noted in "lets tweak these macros" then remove ip-to-host from the query, while updating the query the panel uses to search.

Reply

hochit
Path Finder
‎11-24-2016 08:01 PM

More thought...
My raw XML event is like this. I believe src_ip can be extracted from IpAddress

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4625</EventID><Version>0</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime='2016-11-23T09:46:24.500210800Z'/><EventRecordID>373002</EventRecordID><Correlation/><Execution ProcessID='504' ThreadID='3996'/><Channel>Security</Channel><Computer>spunk_forward.splunk0.local</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>vic.chen</Data><Data Name='TargetDomainName'>TC-NB553</Data><Data Name='Status'>0xc000006d</Data><Data Name='FailureReason'>%%2313</Data><Data Name='SubStatus'>0xc0000064</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>TC-NB553</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>192.168.3.32</Data><Data Name='IpPort'>55425</Data></EventData></Event>

This is what I'm going to add.

props.conf
[source::*:Security]
REPORT-src_ip_for_windows_security = Source_Network_Address_as_src_ip,Client_Address_as_src_ip,IpAddress_as_src_ip

transforms.conf
[IpAddress_as_src_ip]
SOURCE_KEY = IpAddress
REGEX = (.+)
FORMAT = src_ip::$1
0 Karma
Reply

lakshman239
Influencer
‎01-11-2017 05:25 AM

As you know, src_ip has the IP address and src_nt_host captures the host name. In your case, if your src_ip doesn't have the value (i.e. IP address) you need, and if that's present in src_nt_host, you can alias it and it should work.

Alternatively, if you go down the approach of props/transforms (as above), as soon as the first src_ip is obtained, the transform will return. So, if Source_Network_Address_as_src_ip returns a value of src_ip, your IpAddress_as_src_ip may not run or overwrite it. Please check/test it once.

0 Karma
Reply

kent_farries
Path Finder
‎12-08-2016 04:07 PM

The Failed Logons by IP Address works for us and we are using the Splunk App for Windows Infrastructure V1.4.0, Splunk Enterprise V6.5.1, and Splunk_TA_windows V4.8.3.

The only issue we did notice in general with the application was that under Windows Performance Monitoring the Perfmon Hosts Multiselect was not defined correctly so we fixed it (Token Prefix, Token Suffix, and Token Value Prefix were empty) since we are now able to edit the dashboard with 1.4.0.

Hope that helps.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎12-01-2016 04:56 AM

I don't have the Windows Infra app installed any more, and though I don't know why this isn't working off hand, you are probably heading down the right road for correcting it.

If you need a field called src_ip and you can extract it easily enough, I'd do that. In this case an alias may work just fine since you have it available already. Either method will likely work fine.

So, IMO make the field as you seemed to be doing and do some testing to see if your results make sense.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...