All Apps and Add-ons

Why are the EventType Reference Missing for wineventlog-dns in Splunk App for Windows Infrastructure version 1.4.2 and 1.4.3?

bgagliardi1
Path Finder

Error Running in Search and Reporting App:

[indexer1.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.
[indexer2.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.

Extra info: I'm in a distributed Splunk environment. However, I'm not using indexer clustering.

Grepped eventtypes:

./apps/splunk_app_windows_infrastructure/default/eventtypes.conf
[splunk@splunk-dev-1 etc]# vi apps/splunk_app_windows_infrastructure/default/eventtypes.conf 

[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (*eventtype=wineventlog-dns* (Type=Warning OR Type=Error))

Full EventTypes File:


--- AD and DNS eventtypes

[msad-account-lockout]
search = eventtype=wineventlog_security EventCode=4740

[msad-account-unlock]
search = eventtype=wineventlog_security EventCode=4767

[msad-ad-access]
search = eventtype=wineventlog_security EventCode=4662

[msad-admin-audit]
search = (eventtype=msad-group-changes OR eventtype=msad-groupmembership-changes OR eventtype=msad-computer-changes OR eventtype=msad-user-changes OR eventtype=msad-account-lockout OR eventtype=msad-account-unlock) user!="*$" src_user!="*$"

[msad-anomalous-events]
search = eventtype=msad-security-anomalous-events OR eventtype=msad-dirsvcs-anomalous-events

[msad-computer-changes]
search = eventtype=wineventlog_security (EventCode=4741 OR EventCode=4742 OR EventCode=4743)

[msad-dirsvcs-anomalous-events]
search = eventtype=wineventlog-ds (Type=Error OR Type=Warning OR EventCode=1458)

[msad-disabled-logons]
search = eventtype=wineventlog_security EventCode=4625 (Status=0xC000006E OR Status=0xC0000072 OR Status=0xC0000193)

[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error))

[msad-failed-computer-logons]
search = eventtype=wineventlog_security EventCode=4625 user="*$"

[msad-failed-user-logons]
search = eventtype=wineventlog_security (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")) user!="*$"

[msad-group-changes]
search = eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)

[msad-groupmembership-changes]
search = eventtype=wineventlog_security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)

[msad-password-changes]
search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=4724)

[msad-rep-errors]
search = eventtype=wineventlog-ds (EventCode=1014 OR EventCode=1083 OR EventCode=1084 OR EventCode=1203 OR EventCode=1307 OR EventCode=1308 OR EventCode=1311 OR EventCode=1566 OR EventCode=1699 OR EventCode=1800 OR EventCode=1801 OR EventCode=1865 OR EventCode=1925 OR EventCode=1926 OR EventCode=1988 OR EventCode=2087 OR EventCode=2088)

[msad-security-anomalous-events]
search = eventtype=wineventlog_security (Type=Error OR Type=Warning OR EventCode=512 OR EventCode=513 OR EventCode=516 OR EventCode=517 OR EventCode=1100 OR EventCode=1101 OR EventCode=1102 OR EventCode=1104 OR EventCode=4609 OR EventCode=4612 OR EventCode=1621)

[msad-successful-computer-logons]
search = eventtype=wineventlog_security EventCode=4624 user="*$"

[msad-successful-user-logons]
search = eventtype=wineventlog_security EventCode=4624 user!="*$"

[msad-user-changes]
search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"

Windows eventtypes

[eventlog_Update_Successful]
search = sourcetype="*:System" "Installation Successful"

[eventlog_Update_Failed]
search = sourcetype="*:System" "Installation Failure"

[updatelog_Update_Successful]
search = sourcetype="WindowsUpdateLog" "Content Install" "Installation Successful"

[updatelog_Update_Failed]
search = sourcetype="WindowsUpdateLog" Failure "Content Install" "Installation Failure"

[Update_Successful]
search = eventtype=eventlog_Update_Successful OR eventtype=updatelog_Update_Successful

[Update_Failed]
search = eventtype=eventlog_Update_Failed OR eventtype=updatelog_Update_Failed

[Key_Events_On_Hosts]
search = \
    ( \
        sourcetype="WinEventLog*" OR sourcetype="XmlWinEventLog*" \
            (Type="*Error*" OR Type="*Fail*" OR EventCode=1074 OR EventCode=19 OR \
            EventCode=20 OR EventCode=21 OR Eventcode=1001) \
    ) OR \
    ( \
        sourcetype="WindowsUpdateLog" (status="installed" OR \
            status="failure" OR status="restart required") \
    )

description = This event type identifies key events on a host machine running Windows. \
Key events are defined as most commonly occurring scenarios on a Windows host that \
may require immediate attention or may explain issues seen on a host. hence the \
events collected by this event type include the following: \
1. Windows event log events from the System, Application or Security event log \
that indicate errors. \
2. Windows system event log event with event code 1074 for system reboots. Event codes \
600*s although useful in detecting the reboots of the event log itself are useful, \
they have been known to be noisy in reality and so excluded from this event type. \
3. Windows update event log events with event codes 19, 20 or 21 for installs, \
failures and required reboot scenarios. \
4. Windows update log actions indicating install, failure or install requiring reboots. \
Note: since event types dont support append command, we OR the source types.
"

1 Solution

bgagliardi1
Path Finder

Solved the problem:

Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.

View solution in original post

0 Karma

horanman01
Explorer

Nothing from what you posted was legible or comprehensible. This is an utterly useless post to anybody who views it.

bgagliardi1
Path Finder

Solved the problem:

Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...