All Apps and Add-ons

The EventCode lookups in the Splunk App for Windows Infrastructure return incorrect values

Ranazar
Path Finder

The Splunk App for Windows Infrastructure has the windows_signatures.csv lookup file:

signature_id,signature,CategoryString,action,result
512,"Windows NT is starting up",,,
...

1104,"The security Log is now full",,,

And then the lookup itself:

## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject

So here's the problem. I have an event coming from SharePoint with event code 1104:

LogName=Application
SourceName=Microsoft-SharePoint Products-PerformancePoint Service
EventCode=1104

And the lookup matches it - based on it being event code 1104 - to the message "The security Log is now full".

That's wrong - and pretty alarming. It looks like the lookup file is just for events from the Security log, yet the lookup is ignoring the log name, so event code 1104 becomes a full security log regardless of the log name (let alone the source name).

I'm still new with Splunk, so it's possible that I've effed something up to get this result. Has anyone else noticed this?

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.

If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.

If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)

0 Karma

Ranazar
Path Finder

The SharePoint message is coming from the event logs as well - from the Application log as opposed to the Security log.

So it's all event log messages.

It seems like the app assumes that an event ID number is unique to one message across the event viewer. If that's the thinking, then it's definitely wrong - as this example shows.

0 Karma

gjanders
SplunkTrust
SplunkTrust

Tweaking the automatic lookup will resolve the issue, but I completely agree with you here.
I've logged a support case or two on this app as well, I believe I have an enhancement request open as some event codes have multiple meanings depending on the description.

Perhaps you can log a support case on this so it goes back to the app support team?

0 Karma

Ranazar
Path Finder

Thanks - I wasn't sure if it was something I had screwed up. I'll poke them with a support case and see what happens.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...