Getting Data In

In Windows Security logs, why does Splunk incorrectly solves some data?

patriziadepaola
Explorer

Good morning,
I noticed that Splunk (v. 6.5.1) does not properly report some fields of security event logs collected.
In the example, the value in the field "Accesses" of my Windows security log is : “ReadData (or ListDirectory)” but in the result of search in splunk I have : "%9"
alt text

And, unfortunately, also other fields are affected by the same problem!

Can someone help me?!
Thank you!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi patriziadepaola,
you should verify in Windows EventViewer if you have the same values.
I think that you should find the problem in Windows Event Logging, because Splunk acquires Windows Logs without modifying them.
Bye.
Giuseppe

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need 2 things: you need AD (Domain Controller) setup correctly and you need this setting in your inputs.conf:

evt_resolve_ad_obj = 1

Read here (and elsewhere) for more:
https://answers.splunk.com/answers/23502/windows-sid-resolving-in-splunk.html

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi patriziadepaola,
you should verify in Windows EventViewer if you have the same values.
I think that you should find the problem in Windows Event Logging, because Splunk acquires Windows Logs without modifying them.
Bye.
Giuseppe

0 Karma

patriziadepaola
Explorer

Hi Giuseppe, no I don't use soucetype=WinEventLog:Security
this is my inputs.conf:

[WinEventLog://ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = security
_TCP_ROUTING= collaudo

0 Karma

patriziadepaola
Explorer

Hi Giuseppe, using TA_Windows Security Stanza with soucetype WinEventLog:Security all woks fine!
Thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

If this answer solves your question, please accept it.
bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Patrizia,
if you don't want to use this sourcetype, you have to rebuild all the WinEventLog:Security environment in your sourcetype.
See in Splunk_TA-Windows props.conf file what are all the configurations for WinEventLog:Security (you can find in "###### Windows Security Event Log ######" section) and rebuild them for your sourcetype.
Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi patrizia,
how you took logs, using TA_Windows Security Stanza?

[WinEventLog://Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

and sourcetype=WinEventLog:Security?

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi patrizia,
You should try to use this sourcetype, because Splunk gives by default all the Windows configurations to ingest this logs.
Otherwise, you should search in Splunk_TA-Windows props.conf file extracting all the configurations for WinEventLog:Security (you can find in "###### Windows Security Event Log ######" section).
But Every Way I suggest to you to use the default sourcetype, it's easier!

Bye.
Giuseppe

0 Karma

patriziadepaola
Explorer

No, unfortunately, in the windows log contain the correct messages! In the example that I had submitted, windows security log for string Accesses presents the value "ReadData (or ListDirectory)", but my search in splunk returns %9

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...