All Apps and Add-ons

security eventlog

khanlarloo
Explorer

i have one server that is for antivirus, in installed uf and windows add-on on it that send logs to hf,
i have one problem, it doesn't show server security event on my indexer,but it shows other server security events.
my input.conf on UF is:

[default]
host = NPESET
index= eset
sourcetype = eset:ra

and in windows add-on inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
index = wineventlog
renderXml=false

why i don't recieve any security event log ?

0 Karma

bennitltd
New Member

Hi,
I have see this a number of times and is generally related to the security policy on the source server. If the UF is running as system or an AD account, like larkshman239 says, check that it has permissions.

There is more detailed set of security requirements relating to the security descriptors that are used to allow access, these differ on a Win2008 box and above. Read the following and check to make sure that they are set to allow access.

I appreciate that this relates to setting the SDDL however it tells you how to understand whether you have the required access. I have seen this on a windows 2016 server so it is relevant.

https://support.microsoft.com/en-gb/help/323076/how-to-set-event-log-security-locally-or-by-using-gr...

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Assuming your 'splunk UF' is running as admin/equivalent required access and that we can see _internal logs from that UF (to ensure connectivity works), could you do the following?
1. In the windows server (AV), check if eventviewer shows the security events which are expected [e.g. 4624]. If no security events are in Eventviewer, you may need to work with windows admin to enable security policies audits.
2. Once the events are seen in the eventviewer, look at the default/inputs.conf as it normally has blacklist 566 and 4662.
3. Check to see if you are receiving any application or system logs from this AV server [ WinEventLog://Application and System]
4. run btool to ensure the required inputs.conf is shown up with your changes.
5. check that there is no filtering at HF level for win security events.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Were you able to resolve this?

0 Karma

FrankVl
Ultra Champion

Have you confirmed that the user the Splunk UF runs as, has access to the security logs on that server?
Are other logs from that server (ie. Splunk's internal logs) coming through correctly?

0 Karma

khanlarloo
Explorer

i installed it with admin privilege,i receive other logs.

0 Karma

jkat54
SplunkTrust
SplunkTrust

This means nothing. You need to verify the correct permissions are set regardless of the user.

Each event log has its own possible permissions.

0 Karma

dkeck
Influencer

HI,

could it be that in the windows add on, some security eventlogs are blacklisted? so you are not getting all of them.

Have a look at /default/inputs.conf

0 Karma

khanlarloo
Explorer

no.it doesn't have any black list

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...