Re: WinEvenLog for Security EventCode IN (4768) m...

jvmerilla · ‎04-03-2023

The log we have for WinEvenLog for Security EventCode IN (4768) is missing the parts
"Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. EditMore Resources"

This is after Certificate Thumbprint.

This only what we have in Splunk.

The SEDCMD in props.conf were already commented out but still we are not getting this part in Splunk.

diogofgm · ‎04-03-2023

Have you tried to index the xml version of those event?

------------
Hope I was able to help you. If so, some karma would be appreciated.

jvmerilla · ‎04-03-2023

Hi @diogofgm ,

Thank you for the response!

We did try to index it as xml but we need to revert it back to the old format because, apparently, in xml format we are missing the "message" field.

WinEvenLog for Security EventCode IN (4768) missing parts after Certificate Thumbprint

configuration

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation