All Apps and Add-ons

sourcetype="WinEventLog:Security" vs sourcetype="WMI:WinEventLog:Security"

SplunkTrust
SplunkTrust

I'm not sure if this is something that I did on this system, or something the windows app did maybe, but why do I have all my local winEventLog data getting indexed twice?

everything comes in as both: sourcetype="WinEventLog:Security" andsourcetype="WMI:WinEventLog:Security"`.

And can someone tell me which one I should turn off?

At a higher level it's quite silly that all of the source keys for the windows inputs are set to the exact same value as the sourcetype. I would expect something more along the lines of:

  1. sourcetype=WinEventLog:Security" source="WMI"
  2. sourcetype=WinEventLog:Security" source="localEventLog"
1 Solution

Engager

I can confirm that I have the same behavior on a brand new install (with Windows App) running on a Windows 2008 R2 64bits as local system account. It indexes everything twice but I'm not sure they are exactly the same as you can see on my screenshot :

Splunk Screenshot

You can see that one host is indexed as DC02 and the one is indexed with the domain name. You can also see that the Application logs matches at 3944 events, the System logs matches at 3210 but the Security log from WinEventLog has 20 more events than WMI:WinEventLog at the exact same update time.

I have also noticed that the difference between WinEventLog and WMI:WinEventLog is even bigger if you run Splunk as "Domain Administrator"

Finally in Windows App, when you try to run any search query related to Event logs, it only searches for events from WinEventLog and not from WMI:WinEventLog thus you will only get results for the localhost unless you edit the queries.

That is what I have experienced so far.

Follow up :

After further testing, It appears to me that Windows App forces local Event logging which logs informations as WinEventLog. When you enable remote log collection, it uses WMI:WinEventLog. I won't be using Windows App on my deployment so I will be turning off local logging and using WMI only as they finally seem to be collecting the same information.

View solution in original post

Engager

I can confirm that I have the same behavior on a brand new install (with Windows App) running on a Windows 2008 R2 64bits as local system account. It indexes everything twice but I'm not sure they are exactly the same as you can see on my screenshot :

Splunk Screenshot

You can see that one host is indexed as DC02 and the one is indexed with the domain name. You can also see that the Application logs matches at 3944 events, the System logs matches at 3210 but the Security log from WinEventLog has 20 more events than WMI:WinEventLog at the exact same update time.

I have also noticed that the difference between WinEventLog and WMI:WinEventLog is even bigger if you run Splunk as "Domain Administrator"

Finally in Windows App, when you try to run any search query related to Event logs, it only searches for events from WinEventLog and not from WMI:WinEventLog thus you will only get results for the localhost unless you edit the queries.

That is what I have experienced so far.

Follow up :

After further testing, It appears to me that Windows App forces local Event logging which logs informations as WinEventLog. When you enable remote log collection, it uses WMI:WinEventLog. I won't be using Windows App on my deployment so I will be turning off local logging and using WMI only as they finally seem to be collecting the same information.

View solution in original post

Path Finder

I believe they are equal because in the end, they both are probably making the same WMI query.

But, that said, I usually turn off the WMI one because the Sourcetype is longer.

They both come from the Windows app, the first one comes from an entry in wmi.conf and the second from an inputs.conf entry.

I believe they both get turned on if you choose to turn on every WMI input by default and also turn on every WinEventLog input as well during install, though that might not be the case. I have only noticed it happening on my 4.2 Indexer after I upgraded from 4.1.x with upgraded windows app as well.

Communicator

sourcetype="WinEventlog:Security" is a Windows instance of Splunk getting its own event log.

sourcetype="WMI:WinEventlog:Security" is a Windows instance getting the event log of (usually) a remote system via WMI queries.

I'd turn off the WMI one.

Typically "source=" refers to the specific file the event is coming from and "sourcetype" is a more meta value of what kind of source it is. This makes sense when Splunk is monitoring files, but because Windows event data isn't thought of as a file, the convention breaks down.

Maybe Splunk should use the path to the .evt file as the source. That might be nice when you're splunking in restored .evt files. 🙂