The Splunk App for Windows Infrastructure has the windows_signatures.csv lookup file:
signature_id,signature,CategoryString,action,result
512,"Windows NT is starting up",,,
...
1104,"The security Log is now full",,,
And then the lookup itself:
## Default lookup for EventCode->signature mapping ( i.e. EventCode=4625 + SubStaus=null() = "An account failed to log on" )
LOOKUP-signature_for_windows3 = windows_signature_lookup signature_id OUTPUTNEW signature,signature AS name, signature AS subject
So here's the problem. I have an event coming from SharePoint with event code 1104:
LogName=Application
SourceName=Microsoft-SharePoint Products-PerformancePoint Service
EventCode=1104
And the lookup matches it - based on it being event code 1104 - to the message "The security Log is now full".
That's wrong - and pretty alarming. It looks like the lookup file is just for events from the Security log, yet the lookup is ignoring the log name, so event code 1104 becomes a full security log regardless of the log name (let alone the source name).
I'm still new with Splunk, so it's possible that I've effed something up to get this result. Has anyone else noticed this?
What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.
If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)
What is the sourcetype you are using to ingest the sharepoint log files? If it's the same sourcetype as the security event logs then this might happen.
If not, you can adjust the sourcetypes that the lookup applies to in the same way that it is created (as per the documentation)
The SharePoint message is coming from the event logs as well - from the Application log as opposed to the Security log.
So it's all event log messages.
It seems like the app assumes that an event ID number is unique to one message across the event viewer. If that's the thinking, then it's definitely wrong - as this example shows.
Tweaking the automatic lookup will resolve the issue, but I completely agree with you here.
I've logged a support case or two on this app as well, I believe I have an enhancement request open as some event codes have multiple meanings depending on the description.
Perhaps you can log a support case on this so it goes back to the app support team?
Thanks - I wasn't sure if it was something I had screwed up. I'll poke them with a support case and see what happens.