The 5.x version of the Windows TA logs data with source=WinEventLog:Security and source=wineventlog ... all the items related to windows event log data fail in this app. This is really annoying. What is the best way to fix this? Do we need to modify the TA for windows settings or is this a compatibility issue with Security Essentials only working with the older 4.x versions of the windows TA?
We did the first major update for the Windows TA 5 breaking changes a few releases back, but it turns out there was an entire category of searches that were missed. This has been fixed now in Version 2.3.1, posted Jan 4 2019. Thank you for reporting this!
I just updated to 2.3.0 this morning before posting this question and I'm still seeing security items for windows reporting no data... if I open the query in search and change it from sourcetype=*WinEventLog:Security to source= it finds the data.
Do me a favor -- try doing a bump and see if that changes the search (sometimes Splunk Enterprise caches things when it shouldn't..). Go to http(s)://your-splunk-server:8000/en-US/bump and then click the button that pops up there. Refresh the page you're seeing the issue on, and let me know if it goes away. If not, can you confirm where in the app (e.g., what page, what example, etc.) you see the issue, so I can dive in deeper and see what my regex search is missing?
Hi @alastor -- happy new year! I wanted to check in again and see if you were able to try this out.
Hey David, I haven't. I've been on vacation over the holidays. I should try it out before the end of the week though! I will let you know! Thanks!
Excellent! Sounds good on both fronts (the vacation, and being able to try it out)!
I did the bump on all of my search heads... still see the no data found on windows data with live data selected on the dashboards. the windows items all have the wrong search string for 5.x windows app:
| metasearch earliest=-2h latest=now sourcetype="WinEventLog:Security" index= | head 100 | stats count
if I change sourcetype to source it loads data.
Okay interesting, I switched browsers and now reports are showing up correctly for the most part. (many now show an Accelerated option as well as demo and live data) and those mostly work. there are some errors still but I think it's additional configuration that needs to be done.
Some pages don't load anything though:
Windows Event Log Clearing Events doesn't show any messages now when switching to live data.
okay so if I go into the Data Source Checker I still find a fair number of failures in Windows Event lookups that are pointing at sourcetype instead of source. I did a find -exec grep -i in the app looking for sourcetype=wineventlog: and only found a single xml file and a bunch of static data entries that matched... so there has to be another area where this mismatch is being picked up.