All Apps and Add-ons

Why does Security Essentials search for windows event log data with sourcetype instead of source?

Path Finder

The 5.x version of the Windows TA logs data with source=WinEventLog:Security and source=wineventlog ... all the items related to windows event log data fail in this app. This is really annoying. What is the best way to fix this? Do we need to modify the TA for windows settings or is this a compatibility issue with Security Essentials only working with the older 4.x versions of the windows TA?

Thanks!

0 Karma
1 Solution

Path Finder

I just updated to 2.3.0 this morning before posting this question and I'm still seeing security items for windows reporting no data... if I open the query in search and change it from sourcetype=*WinEventLog:Security to source= it finds the data.

View solution in original post

0 Karma

Path Finder

David fixed this with an update.

Splunk Employee
Splunk Employee

@David

Here's the update based on the customer's feedback that @hrottenberg_splunk mentioned:

Sec Essentials use cases:

New Logon Type for User

Disabled Update Service

Monitor Unsuccessful Windows Updates

New RunAs Host

Successful Login of Account for Former Employee

In Splunk demo env, most cases bring up events with identical source and sourcetype names, which is odd.

0 Karma

Splunk Employee
Splunk Employee

I just submitted the corrected version. It usually gets posted within a couple of days, so figure Friday / Monday. Let me know if it's urgent and I can get a fixed version to you offline!

0 Karma

Splunk Employee
Splunk Employee

Thank you, @David.

0 Karma

Splunk Employee
Splunk Employee

Fixed in SSE 2.3.1, now live!

0 Karma

Path Finder

I just updated to 2.3.0 this morning before posting this question and I'm still seeing security items for windows reporting no data... if I open the query in search and change it from sourcetype=*WinEventLog:Security to source= it finds the data.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Confirmed w/another customer. @talbinder_splunk is going to add some detail on app version, searches etc.

@David : I'm looking at the Splunk_TA_Windows CIM tags, and it's based on the eventtype=wineventlog_security (among others). Eventtypes.conf says:

[wineventlog_security]
search = source=WinEventLog:Security OR source=WMI:WinEventLog:Security OR source=XmlWinEventLog:Security

However, the customer sees that sec essentials is using sourcetype=WinEventLog:Security, which clearly won't match.

0 Karma

Splunk Employee
Splunk Employee

Fixed in SSE 2.3.1, now live!

0 Karma

Splunk Employee
Splunk Employee

Do me a favor -- try doing a _bump and see if that changes the search (sometimes Splunk Enterprise caches things when it shouldn't..). Go to http(s)://your-splunk-server:8000/en-US/_bump and then click the button that pops up there. Refresh the page you're seeing the issue on, and let me know if it goes away. If not, can you confirm where in the app (e.g., what page, what example, etc.) you see the issue, so I can dive in deeper and see what my regex search is missing?

0 Karma

Splunk Employee
Splunk Employee

Hi @alastor -- happy new year! I wanted to check in again and see if you were able to try this out.

0 Karma

Path Finder

Hey David, I haven't. I've been on vacation over the holidays. I should try it out before the end of the week though! I will let you know! Thanks!

0 Karma

Splunk Employee
Splunk Employee

Excellent! Sounds good on both fronts (the vacation, and being able to try it out)!

0 Karma

Path Finder

I did the bump on all of my search heads... still see the no data found on windows data with live data selected on the dashboards. the windows items all have the wrong search string for 5.x windows app:

| metasearch earliest=-2h latest=now sourcetype="WinEventLog:Security" index= | head 100 | stats count

if I change sourcetype to source it loads data.

0 Karma

Path Finder

Okay interesting, I switched browsers and now reports are showing up correctly for the most part. (many now show an Accelerated option as well as demo and live data) and those mostly work. there are some errors still but I think it's additional configuration that needs to be done.

Some pages don't load anything though:
Windows Event Log Clearing Events doesn't show any messages now when switching to live data.

0 Karma

Path Finder

okay so if I go into the Data Source Checker I still find a fair number of failures in Windows Event lookups that are pointing at sourcetype instead of source. I did a find -exec grep -i in the app looking for sourcetype=wineventlog: and only found a single xml file and a bunch of static data entries that matched... so there has to be another area where this mismatch is being picked up.

0 Karma

Splunk Employee
Splunk Employee

Found the bug! Working on it now, and I'll get a fixed version posted shortly. Thank you 🙂

0 Karma

Splunk Employee
Splunk Employee

I just submitted the corrected version. It usually gets posted within a couple of days, so figure Friday / Monday. Let me know if it's urgent and I can get a fixed version to you offline!

0 Karma

Splunk Employee
Splunk Employee

Fixed in SSE 2.3.1, now live!

0 Karma

Splunk Employee
Splunk Employee

We did the first major update for the Windows TA 5 breaking changes a few releases back, but it turns out there was an entire category of searches that were missed. This has been fixed now in Version 2.3.1, posted Jan 4 2019. Thank you for reporting this!

0 Karma