i have one server that is for antivirus, in installed uf and windows add-on on it that send logs to hf,
i have one problem, it doesn't show server security event on my indexer,but it shows other server security events.
my input.conf on UF is:
[default] host = NPESET index= eset sourcetype = eset:ra
and in windows add-on inputs.conf
[WinEventLog://Security] disabled = 0 start_from = oldest current_only = 0 index = wineventlog renderXml=false
why i don't recieve any security event log ?
Have you confirmed that the user the Splunk UF runs as, has access to the security logs on that server?
Are other logs from that server (ie. Splunk's internal logs) coming through correctly?
Assuming your 'splunk UF' is running as admin/equivalent required access and that we can see _internal logs from that UF (to ensure connectivity works), could you do the following?
1. In the windows server (AV), check if eventviewer shows the security events which are expected [e.g. 4624]. If no security events are in Eventviewer, you may need to work with windows admin to enable security policies audits.
2. Once the events are seen in the eventviewer, look at the default/inputs.conf as it normally has blacklist 566 and 4662.
3. Check to see if you are receiving any application or system logs from this AV server [ WinEventLog://Application and System]
4. run btool to ensure the required inputs.conf is shown up with your changes.
5. check that there is no filtering at HF level for win security events.
I have see this a number of times and is generally related to the security policy on the source server. If the UF is running as system or an AD account, like larkshman239 says, check that it has permissions.
There is more detailed set of security requirements relating to the security descriptors that are used to allow access, these differ on a Win2008 box and above. Read the following and check to make sure that they are set to allow access.
I appreciate that this relates to setting the SDDL however it tells you how to understand whether you have the required access. I have seen this on a windows 2016 server so it is relevant.