All Apps and Add-ons

Why are the EventType Reference Missing for wineventlog-dns in Splunk App for Windows Infrastructure version 1.4.2 and 1.4.3?

bgagliardi1
Path Finder

Error Running in Search and Reporting App:

[indexer1.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.
[indexer2.domain.com] Eventtype 'wineventlog-dns' does not exist or is disabled.

Extra info: I'm in a distributed Splunk environment. However, I'm not using indexer clustering.

Grepped eventtypes:

./apps/splunk_app_windows_infrastructure/default/eventtypes.conf
[splunk@splunk-dev-1 etc]# vi apps/splunk_app_windows_infrastructure/default/eventtypes.conf 

[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (*eventtype=wineventlog-dns* (Type=Warning OR Type=Error))

Full EventTypes File:


--- AD and DNS eventtypes

[msad-account-lockout]
search = eventtype=wineventlog_security EventCode=4740

[msad-account-unlock]
search = eventtype=wineventlog_security EventCode=4767

[msad-ad-access]
search = eventtype=wineventlog_security EventCode=4662

[msad-admin-audit]
search = (eventtype=msad-group-changes OR eventtype=msad-groupmembership-changes OR eventtype=msad-computer-changes OR eventtype=msad-user-changes OR eventtype=msad-account-lockout OR eventtype=msad-account-unlock) user!="*$" src_user!="*$"

[msad-anomalous-events]
search = eventtype=msad-security-anomalous-events OR eventtype=msad-dirsvcs-anomalous-events

[msad-computer-changes]
search = eventtype=wineventlog_security (EventCode=4741 OR EventCode=4742 OR EventCode=4743)

[msad-dirsvcs-anomalous-events]
search = eventtype=wineventlog-ds (Type=Error OR Type=Warning OR EventCode=1458)

[msad-disabled-logons]
search = eventtype=wineventlog_security EventCode=4625 (Status=0xC000006E OR Status=0xC0000072 OR Status=0xC0000193)

[msad-dns-events]
search = ((eventtype=wineventlog_application OR eventtype=wineventlog_system OR eventtype=wineventlog_security) (Type=Warning OR Type=Error) DNS) OR (eventtype=wineventlog-dns (Type=Warning OR Type=Error))

[msad-failed-computer-logons]
search = eventtype=wineventlog_security EventCode=4625 user="*$"

[msad-failed-user-logons]
search = eventtype=wineventlog_security (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) Keywords="Audit Failure")) user!="*$"

[msad-group-changes]
search = eventtype=wineventlog_security (EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764)

[msad-groupmembership-changes]
search = eventtype=wineventlog_security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762)

[msad-password-changes]
search = eventtype=wineventlog_security (EventCode=4723 OR EventCode=4724)

[msad-rep-errors]
search = eventtype=wineventlog-ds (EventCode=1014 OR EventCode=1083 OR EventCode=1084 OR EventCode=1203 OR EventCode=1307 OR EventCode=1308 OR EventCode=1311 OR EventCode=1566 OR EventCode=1699 OR EventCode=1800 OR EventCode=1801 OR EventCode=1865 OR EventCode=1925 OR EventCode=1926 OR EventCode=1988 OR EventCode=2087 OR EventCode=2088)

[msad-security-anomalous-events]
search = eventtype=wineventlog_security (Type=Error OR Type=Warning OR EventCode=512 OR EventCode=513 OR EventCode=516 OR EventCode=517 OR EventCode=1100 OR EventCode=1101 OR EventCode=1102 OR EventCode=1104 OR EventCode=4609 OR EventCode=4612 OR EventCode=1621)

[msad-successful-computer-logons]
search = eventtype=wineventlog_security EventCode=4624 user="*$"

[msad-successful-user-logons]
search = eventtype=wineventlog_security EventCode=4624 user!="*$"

[msad-user-changes]
search = eventtype=wineventlog_security (EventCode=4720 OR EventCode=4722 OR EventCode=4724 OR EventCode=4725 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4912) user!="*$"

Windows eventtypes

[eventlog_Update_Successful]
search = sourcetype="*:System" "Installation Successful"

[eventlog_Update_Failed]
search = sourcetype="*:System" "Installation Failure"

[updatelog_Update_Successful]
search = sourcetype="WindowsUpdateLog" "Content Install" "Installation Successful"

[updatelog_Update_Failed]
search = sourcetype="WindowsUpdateLog" Failure "Content Install" "Installation Failure"

[Update_Successful]
search = eventtype=eventlog_Update_Successful OR eventtype=updatelog_Update_Successful

[Update_Failed]
search = eventtype=eventlog_Update_Failed OR eventtype=updatelog_Update_Failed

[Key_Events_On_Hosts]
search = \
    ( \
        sourcetype="WinEventLog*" OR sourcetype="XmlWinEventLog*" \
            (Type="*Error*" OR Type="*Fail*" OR EventCode=1074 OR EventCode=19 OR \
            EventCode=20 OR EventCode=21 OR Eventcode=1001) \
    ) OR \
    ( \
        sourcetype="WindowsUpdateLog" (status="installed" OR \
            status="failure" OR status="restart required") \
    )

description = This event type identifies key events on a host machine running Windows. \
Key events are defined as most commonly occurring scenarios on a Windows host that \
may require immediate attention or may explain issues seen on a host. hence the \
events collected by this event type include the following: \
1. Windows event log events from the System, Application or Security event log \
that indicate errors. \
2. Windows system event log event with event code 1074 for system reboots. Event codes \
600*s although useful in detecting the reboots of the event log itself are useful, \
they have been known to be noisy in reality and so excluded from this event type. \
3. Windows update event log events with event codes 19, 20 or 21 for installs, \
failures and required reboot scenarios. \
4. Windows update log actions indicating install, failure or install requiring reboots. \
Note: since event types dont support append command, we OR the source types.
"

1 Solution

bgagliardi1
Path Finder

Solved the problem:

Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.

View solution in original post

0 Karma

horanman01
Explorer

Nothing from what you posted was legible or comprehensible. This is an utterly useless post to anybody who views it.

bgagliardi1
Path Finder

Solved the problem:

Install https://splunkbase.splunk.com/app/1477/ on the universal forwarders for DC's/Print Servers/etc.
Install https://splunkbase.splunk.com/app/3208/ on UF's, like above, and Indexers, and searchheads.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...