Getting Data In

Audit logs added to Windows security events

johandk
Path Finder

Hi,

In some cases it seems Splunk adds this kind of info to some winsec events:

Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a] Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a] Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]

Any idea how we can get rid of this?

Tags (2)
0 Karma
1 Solution

Rob
Splunk Employee
Splunk Employee

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

View solution in original post

Rob
Splunk Employee
Splunk Employee

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...