All Apps and Add-ons

eventid.net

m1ster1985
Explorer

Dear all,

Could you help me in resolving my issue I cannot address?
I installed Add-on for Microsoft Windows and did everything according to instruction. Now, Splunk is receiving logs from 1 windows computer. I can see them in the data summary. The next step was the installation eventid.net app to consolidate and visualize received logs. However, when I installed and configure it according to the instruction, eventid.net does not show any logs on its dashboards.
I have no idea where should I look into to find out why eventid does not work. Please, could you help me in troubleshooting this problem? I am ready to provide any screenshots of my configuration.

These are some details of my configuration.
I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

I also copied this configuration to the deployment server (/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local). The configuration is successfully transmitted to the computer with Universal Forwarder. (I checked the configuration of the UF)

However, when I look at event logs in the "Search and Report", I see that logs are coming with the index = "main" instead of "wineventlog" as I pointed in the inputs.conf
selected fields:
host = ComputerNAME
index = main
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog

I do not understand why event logs are coming with the index = main.
I configured eventid.net in the following way:
"The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)"
Thank you.

0 Karma

jarizeloyola
Path Finder

Is the configuration in the inputs.conf sending to the right index?
Is the data is stored in a different index? you can update the macros.conf [event_sources] section.

0 Karma

m1ster1985
Explorer

Hello,

This is the first problem. I configured inputs.conf that is located in /opt/splunk/etc/apps/Splunk_TA_windows/local having indicated the following configuration:
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false

I also copied this configuration to the deployment server (/opt/splunk/etc/deployment-apps/Splunk_TA_windows/local). The configuration is successfully transmitted to the computer with Universal Forwarder. (I checked the configuration of the UF)

However, when I look at event logs in the "Search and Report", I see that logs are coming with the index = "main" instead of "wineventlog" as I pointed in the inputs.conf
selected fields:
host = ComputerNAME
index = main
source = XmlWinEventLog:Security
sourcetype = XmlWinEventLog

I have no idea why event logs are coming with the index = main.
I configured eventid.net in the following way:
"The EventId App will analyze the specified index: (index="wineventlog" OR source=XmlWinEventLog*)"

0 Karma

jarizeloyola
Path Finder

can you run a btool on the uf , just to check what inputs.conf it is getting ?

0 Karma

m1ster1985
Explorer

Unfortunately, I can't copy the output of the btool command because it is too big and can't attach a file due to a lack of point for karma.
Probably, you want to see particular strings?

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...