Getting Data In

How to troubleshoot event code 4662 and why the event not showing on splunk?? (Event code needed for use case)

ricardo_911
New Member

Hi,

I am trying to look up data related to EventCode="4662", but it does not show in Splunk.

Additionally I checked inputs.conf on the indexer and it was not present, I copied inputs.conf from default:

[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:\s+(?!groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:\s+(?!groupPolicyContainer)"
index = wineventlog
renderXml=false

I have check within Windows Event Viewer on our Domain Controller that Event 4662 is present, but Splunk searches for EventCode=4662 produce no results.

so what i want to see is the event code 4662 that in it's message contain Object Type: user

Here i will provide the event viewer logs that i want splunk to show

An operation was performed on an object.

Subject :
  Security ID:       CIMBNIAGA\YT91504X
  Account Name:      YT91504X
  Account Domain:    CIMBNIAGA
  Logon ID:          0xC2D9E1AC

Object:
  Object Server: DS
  Object Type:   user
  Object Name:   CN=ADJOINADMIN,OU=Functional   ID,OU=Special_OU,DC=cimbniaga,DC=co,DC=id
  Handle ID:     0x0

Operation:
  Operation Type:  Object Access
  Accesses:      READ_CONTROL

  Access Mask:   0x20000
  Properties:    READ_CONTROL {bf967aba-0de6-11d0-a285-00aa003049e2}

Additional Information:
  Parameter 1:    -
  Parameter 2:  

Please help me i really got stuck i already try to delete the blacklist filtering but it's still not give me  the log that i want just like in the top @kheo_splunk

Labels (1)
0 Karma

Boogyman
New Member

Did this get resolved ? We are also facing the same issue. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You won't find event 4662 because they're blacklisted.  The blacklist prevents events with that code from being ingested and indexed, therefore, they cannot be searched.

Removing the blacklist will allow new 4662 events to be indexed, but will not do anything for the older events that happened while the blacklist was in effect.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ricardo_911
New Member

Yes i already try to remove the blacklist even try the whitelist but the result is still same the event code 4662 not generated at all. When my team already remove the blacklist, we also try to enumerate the active directory to see if the event generate but when we check on splunk the event still not showing up. Is there other settings or maybe the regex is wrong??

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When you removed the blacklist setting do you also restart the forwarder(s)?

Are there any transform or Ingest Actions in the data path that might also be discarding the events?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...