All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk app for Windows Infrastructure - Account Domain (dest_nt_domain) appearing as a multi-value field

mikaelbje
Motivator
‎06-24-2015 11:52 PM

I'm experiencing a problem with the Splunk App for Windows Infrastructure where domains appear twice when presented in the User Reports dashboards. This poses the following problems:

  • The results look ugly, since instead of displaying Domain: NT AUTHORITY, I get - NT AUTHORITY since dest_nt_domain is a MV field containing both - and NT AUTHORITY
  • Drilldowns on the user do not work because a ldapsearch is triggered on search domain=- NT AUTHORITY where the correct search domain would be NT AUTHORITY or EXAMPLE where EXAMPLE is the domain name.

I've narrowed the problem down to Windows Security events where Account Domain appears twice, such as in the following event:

06/24/2015 03:33:13 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4624
EventType=0
Type=Information
ComputerName=XXXNODCP01.example.com
TaskCategory=Logon
OpCode=Info
RecordNumber=173455309
Keywords=Audit Success
Message=An account was successfully logged on.

Subject:
                Security ID:                        NULL SID
                Account Name:                               -
                Account Domain:                            -
                Logon ID:                            0x0

Logon Type:                                      3

Impersonation Level:                    Impersonation

New Logon:
                Security ID:                        NT AUTHORITY\ANONYMOUS LOGON
                Account Name:                               ANONYMOUS LOGON
                Account Domain:                            NT AUTHORITY
                Logon ID:                            0x9B2BF08C
                Logon GUID:                     {00000000-0000-0000-0000-000000000000}

Process Information:
                Process ID:                         0x0
                Process Name:                 -

Network Information:
                Workstation Name:       XXXCNOLAP0175
                Source Network Address:           192.168.1.50
                Source Port:                      51161

Detailed Authentication Information:
                Logon Process:                 NtLmSsp
                Authentication Package:             NTLM
                Transited Services:         -
                Package Name (NTLM only):     NTLM V1
                Key Length:                       128

The same problem is seen for Account Name where the resulting Account_Name field has two values: - and ANONYMOUS LOGON whereas we're really only interested in ANONYMOUS LOGON.

This also happens with events where the actual domain name is contained. An example of this is Account_Domain and dest_nt_domain having the values of - and EXAMPLE where EXAMPLE is the domain name. The panel with the table thus shows the value of - EXAMPLE for the Domain field.

Is this a bug in 1.1.3 of the Windows App? I don't believe I've seen this problem before. This is only one of several Splunk installs I've done for customers.

App versions used:

  • 1.1.3 of Splunk App for Windows Infrastructure
  • 4.7.5 of Splunk Add-On for Windows

Splunk versions: 6.2.3 for the indexers, search heads and forwarders

The Setup page in the app also does not detect Users and Groups even though I actually see the data. I've modified the macros.conf that reference the indexes since we add data to different indexes depending on the environment.

Reply
1 Solution
Solved! Jump to solution
Solution

Surender
Explorer
‎09-21-2015 02:46 AM

Splunkers,

This happens mainly for windows security eventlogs Type 3 such as eventcode = 4624 (as per the main question)

Reason it happens is because Type 3 is a network logon (i.e. connection to shared folder on this computer from elsewhere on network) and Account Domain is either not available or listed as "-" under subject in the event log but is listed for actual logon. This creates multivalue field and lists all the unwanted clutter. However, If you search for type 2, 10 or 0 Account Domain is available for both subject as a well as logon. transforms.conf for TA-Windows use Account_Domain as a source key and relies upon it.

Solution/Workaround: in the inputs.conf for windows TA render [WinEventLog://Security] logs as XML i.e renderXml = true e.g below.

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 1
index = wineventlog
renderXml = true

Restart splunkforwarder

What's the difference?

Actual windows XML event logs have different fields for what is called Account Domain for Subject and logon in the Text format logs.

XML Format
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 2

Level 0

SubjectUserName guest-PC$
SubjectDomainName WORKGROUP ( Account Domain for subject in Text Format)
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY (Account Domain for logon in Text Format)
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi

AuthenticationPackageName Negotiate

alt text

It works but will still be ideal to dig through the root cause and apply a perm fix for text based event collection in the windows TA itself. Will keep on as time permits.

View solution in original post

Preview file
49 KB
Reply
Solved! Jump to solution

ridoline
New Member
‎12-23-2015 07:03 AM

I also have this issue, has anyone found a working solution to this? I also noticed that this to be an issue with session_id in the tSessions lookup table.

I managed to work around it for the tsessions_update using mvindex(Login_ID,-1) and mvindex(Account_Domain,-1) for nt_login_domain, however I agree with mikaelbje, that this should be fixed within the Splunk Supported app.

I have opened a ticket with a few issues I have found within this app/spunk, and this issue is one of them.

I am running splunk 6.3.1 with 1.2.0 of the splunk_app__windows_infrastructure

0 Karma
Reply
Solved! Jump to solution
Solution

Surender
Explorer
‎09-21-2015 02:46 AM

Splunkers,

This happens mainly for windows security eventlogs Type 3 such as eventcode = 4624 (as per the main question)

Reason it happens is because Type 3 is a network logon (i.e. connection to shared folder on this computer from elsewhere on network) and Account Domain is either not available or listed as "-" under subject in the event log but is listed for actual logon. This creates multivalue field and lists all the unwanted clutter. However, If you search for type 2, 10 or 0 Account Domain is available for both subject as a well as logon. transforms.conf for TA-Windows use Account_Domain as a source key and relies upon it.

Solution/Workaround: in the inputs.conf for windows TA render [WinEventLog://Security] logs as XML i.e renderXml = true e.g below.

[WinEventLog://Security]
disabled = 0
evt_resolve_ad_obj = 1
index = wineventlog
renderXml = true

Restart splunkforwarder

What's the difference?

Actual windows XML event logs have different fields for what is called Account Domain for Subject and logon in the Text format logs.

XML Format
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4624

Version 2

Level 0

SubjectUserName guest-PC$
SubjectDomainName WORKGROUP ( Account Domain for subject in Text Format)
SubjectLogonId 0x3e7
TargetUserSid S-1-5-18
TargetUserName SYSTEM
TargetDomainName NT AUTHORITY (Account Domain for logon in Text Format)
TargetLogonId 0x3e7
LogonType 5
LogonProcessName Advapi

AuthenticationPackageName Negotiate

alt text

It works but will still be ideal to dig through the root cause and apply a perm fix for text based event collection in the windows TA itself. Will keep on as time permits.

Preview file
49 KB
Reply
Solved! Jump to solution

arber
Communicator
‎08-05-2015 01:37 AM

I have also the same issue. we also see that sometimes the dest_nt_domain will show as double
e.g dest_nt_domain="mydomain mydomain"

sometimes is extracted correctly
is it something that has to do with the addon that is deployed on the clients ?

0 Karma
Reply
Solved! Jump to solution

dfigurello
Communicator
‎07-17-2015 01:25 PM

Hi Splunkers,

is there a bug at the windows app ?

My customer is having a problem generating reports on Windows app.
His version the app is:

1.1.3 of Splunk App for Windows Infrastructure
4.7.5 of Splunk Add-On

Any idea to solve the problem?

Cheers,

0 Karma
Reply
Solved! Jump to solution

mikaelbje
Motivator
‎07-13-2015 11:34 PM

For anyone looking for a quick fix this will likely fix the issue:

| eval Account_Domain = mvindex(Account_Domain, len(Account_Domain))

My suggestion is however that this should be added to the app without users having to modify dashboards.

Reply
Solved! Jump to solution

mikaelbje
Motivator
‎06-25-2015 04:33 AM

I see that there's been other questions about this before: http://answers.splunk.com/answers/55398/how-do-i-filter-out-values-if-they-appear-twice.html

I realize one could work around this in several ways, one of them using mvzip, but shouldn't this just work by default in the Splunk App for Windows Infrastructure? A basic drilldown should work out of the box without a user having to modify the dashboard, right?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...