- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- authentication searches return extra events
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
authentication searches return extra events
when diving into the data, it looks like the authentication data model is returning two events for one actual login. It looks like the event to get permission from the domain controller, is recorded and then the actual login to the computer is logged.
Is this normal, incorrect windows setup, or bad datamodel?
Thank you,
Rick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, I know this is an older post, but I am having this problem as well. I am seeing the 4624 and then also the 4776. So, the question is should we tweak the windows TA to remove the tags for all but the 4624 events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @RickbondPNT , if my answer helped, please accept it as the answer. Otherwise please provide more information and I'll be glad to help. Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@RickbondPNT just wondering if it worked or what other issues you might be having? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you checked your eventtypes ? the events should be filtered there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
May need some more information, you mentioned "get permissions", so you may be referring to Event ID 4672, which is not always logged with each logon (4624).
The events you are describing should be separate EventCodes aka EventIDs, the values of which should be in the "signature_id" field in the data model.
Assuming you have the Windows TA installed on your indexer and search head, try the search below (change index to match your Windows events) to see order of events in a more readable format.
Notice the relationship between 4672 (Special privileges assigned to new logon) versus 4624 (An account was successfully logged on)
Not all events 4624 events will be preceded by 4672.
index=* (sourcetype=WinEventLog* OR sourcetype=XmlWinEventLog*)
| lookup windows_signatures.csv signature_id as EventCode OUTPUT signature as description
| table _time user EventCode action description
If your Authentication data model is accelerated, you can run this search to view the events with Event ID.
| tstats summariesonly=t count from datamodel=Authentication by _time span=1m Authentication.user Authentication.signature_id Authentication.action sourcetype
Just remove the 'summariesonly=t' if you have not accelerated that data model.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
