Dashboards & Visualizations

Why are the wineventlogs:security indexing in different indexes and sourcetypes from single host.

lznger88_2
Path Finder

Hi All,

I currently have a UF installed on a host sending windows security logs to index=wineventlogs in non-XML format (which is what I want). The issue is that the same host is sending the window security logs in xml to index=main, and I cannot find the reason why. I have installed the Splunk App for Win Infra (1.5.0), Win_TA (5.0.1) and Splunk Add on for AD/DNS (1.0.0/1.0.1) on my SH, IDX and UF (where needed, as per Splunk documentation)

My guess here is that is something to do with one of the above apps installed, as the UF has the following inputs.conf under the 'etc/app/Splunk_TA_Windows\local\'. No other local files on the UF.

inputs.conf on the UF:
[WinEventLog://Security]
disabled=0
index=wineventlog
renderXml=false
..............(other default data - start_from, current_only etc)

I have used btool on the host UF (inputs and ouputs list) as well as the IDX (inputs, props and transforms list), though I cant seem to find the issue.

I have also go through the Windows Add On upgrade documentation.

Any further advice/tips would be very appreciated (i.e. what to specifically look for using btool or potential root causes)

Cheers.

0 Karma
1 Solution

ikulcsar
Communicator

Hi,

If nothing else helps: it's bold but I would try to identify if there are any rouge (forgot/misconfigured/multiple UF on the same server) host with another UF. So try to stop that UF in order to check if there are any rouge UF somewhere with the same hostname.

Regards,
István

View solution in original post

ikulcsar
Communicator

Hi,

If nothing else helps: it's bold but I would try to identify if there are any rouge (forgot/misconfigured/multiple UF on the same server) host with another UF. So try to stop that UF in order to check if there are any rouge UF somewhere with the same hostname.

Regards,
István

lznger88_2
Path Finder

Hi Istvan,

This may actually be the cause. I stopped the forwarder service and the windows XML data was still sending to index=main, but the data I actually want to ingest (non-xml) stopped ingesting to index=wineventlog.

Now just got to find out where this is occuring. Luckily the deployment is not large yet (less than 10 UF/sources ingesting)

Cheers.

0 Karma

robert_miller
Path Finder

Did you ever figure out the culprit? I am actually trying to figure out how to send the Windows event logs in xml and non-xml formats. The xml format is going to be sent to a 3rd party system, but we use the non-xml format at my company. 

0 Karma

lakshman239
SplunkTrust
SplunkTrust

Pls look at the default/inputs.conf and local/inputs.conf under Win Infra and Splunk Add on for AD/DNS on the UF ( this reads windows events) as by default, some of the inputs could be enabled. If you find them, pls create local/inputs.conf and disable them, as they could cause conflicts.

0 Karma

lznger88_2
Path Finder

Thanks for the advice. This particular UF does not have the Splunk Add-on for AD/DNS on the UF, only the splunk_TA-windows. The SH and IDX has the Win Infra App installed. Currently I have only look at the inputs and ouputs list using btool on the UF and inputs, props and transforms list on the IDX

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...