Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Audit logs added to Windows security events

johandk
Path Finder
‎04-04-2011 07:49 AM

Hi,

In some cases it seems Splunk adds this kind of info to some winsec events:

Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a] Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a] Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_nobody_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search index=_internal (source=/metrics.log OR source=\metrics.log) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]

Any idea how we can get rid of this?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎04-04-2011 10:26 AM

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

View solution in original post

Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎04-04-2011 10:26 AM

You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events.

Here is another answer link that is similar:

http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue

Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.

http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_...

Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top