Getting Data In

Audit logs added to Windows security events

johandk
Path Finder

Hi,

In some cases it seems Splunk adds this kind of info to some winsec events:

Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a] Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a] Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]

Any idea how we can get rid of this?

Tags (2)
0 Karma
1 Solution

Rob
Splunk Employee
Splunk Employee

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

View solution in original post

Rob
Splunk Employee
Splunk Employee

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...