All Apps and Add-ons
Highlighted

security eventlog

Explorer

i have one server that is for antivirus, in installed uf and windows add-on on it that send logs to hf,
i have one problem, it doesn't show server security event on my indexer,but it shows other server security events.
my input.conf on UF is:

[default]
host = NPESET
index= eset
sourcetype = eset:ra

and in windows add-on inputs.conf

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
index = wineventlog
renderXml=false

why i don't recieve any security event log ?

0 Karma
Highlighted

Re: security eventlog

Influencer

HI,

could it be that in the windows add on, some security eventlogs are blacklisted? so you are not getting all of them.

Have a look at /default/inputs.conf

0 Karma
Highlighted

Re: security eventlog

Explorer

no.it doesn't have any black list

0 Karma
Highlighted

Re: security eventlog

Ultra Champion

Have you confirmed that the user the Splunk UF runs as, has access to the security logs on that server?
Are other logs from that server (ie. Splunk's internal logs) coming through correctly?

0 Karma
Highlighted

Re: security eventlog

Explorer

i installed it with admin privilege,i receive other logs.

0 Karma
Highlighted

Re: security eventlog

SplunkTrust
SplunkTrust

This means nothing. You need to verify the correct permissions are set regardless of the user.

Each event log has its own possible permissions.

0 Karma
Highlighted

Re: security eventlog

SplunkTrust
SplunkTrust

Assuming your 'splunk UF' is running as admin/equivalent required access and that we can see _internal logs from that UF (to ensure connectivity works), could you do the following?
1. In the windows server (AV), check if eventviewer shows the security events which are expected [e.g. 4624]. If no security events are in Eventviewer, you may need to work with windows admin to enable security policies audits.
2. Once the events are seen in the eventviewer, look at the default/inputs.conf as it normally has blacklist 566 and 4662.
3. Check to see if you are receiving any application or system logs from this AV server [ WinEventLog://Application and System]
4. run btool to ensure the required inputs.conf is shown up with your changes.
5. check that there is no filtering at HF level for win security events.

0 Karma
Highlighted

Re: security eventlog

SplunkTrust
SplunkTrust

Were you able to resolve this?

0 Karma
Highlighted

Re: security eventlog

New Member

Hi,
I have see this a number of times and is generally related to the security policy on the source server. If the UF is running as system or an AD account, like larkshman239 says, check that it has permissions.

There is more detailed set of security requirements relating to the security descriptors that are used to allow access, these differ on a Win2008 box and above. Read the following and check to make sure that they are set to allow access.

I appreciate that this relates to setting the SDDL however it tells you how to understand whether you have the required access. I have seen this on a windows 2016 server so it is relevant.

https://support.microsoft.com/en-gb/help/323076/how-to-set-event-log-security-locally-or-by-using-gr...

0 Karma