Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not sending [Windowseventlog://Security] to Search Head

Alex1
Explorer
‎08-11-2021 09:31 PM

My Seach Head receice Windoweventlog://Application and system but it's not found [Windowseventlog://Security]. I'm using Splunk_TA_windows. This is my config inputs.conf in local.

[WinEventLog://Application] -> it works
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false


[WinEventLog://Security] -> not work
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index = wineventlog

[WinEventLog://System] -> it works
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false
index = wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=flase
host= WinEventLogForwardHost
index = wineventlog

This TA is copied from another server working fine. Even i'm using domain admin to run service but still not get windows event log security.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:31 AM

Hi @Alex1,

Sorry but I don't understand:

  • you have a Windows TA in your Windows Search Head to take windows logs from it,
  • you took your Splunk TA_Windows from another server and copied it in your Search Head,
  • from Server 1 you have all logs, but from server 2 you have the other logs not Security logs;

is it correct?

At first, can you confirm that you're speaking of Search Head's logs?

Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?

If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.

You can do it by CLI running this command and redirecting results in a text file to analyze:

splunk btool inputs list --debug > my_file.txt

You have to see if there are two stanzas pointing to the windows Security logs.

At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-11-2021 11:55 PM

Hi @Alex1,

let me understand:

  • you have a Splunk server configured as a Search Head, in other words that send its searches to one or more Indexers,
  • You are sending Windows logs from another server to the Search Head,
  • you don't see the logs in your searches;

is it correct?

At this point one one question: if you have one or more Indexers, why do you send logs to the Search Head?

Usually all logs are sent to the Indexers that index and share them with the Search Heads, so probably, the problem is that the logs that you're sending to the Search Head aren't in the Indexers so they aren't visible and the solution to your problem is simply to forward logs to the Indexers instead of Search Heads.

You could also solve the problem forwarding all Search Head's logs to the Indexers and this generally is a Splunk best practice; but anyway it isn't a good idea to send logs to the Search Head.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Alex1
Explorer
‎08-12-2021 12:17 AM

Hi gcusello,

Yes, it's correct. Sorry i had a mistake. 

I copied Windows TA from server 1 that is still sending Application,System and Security to indexers to server 2.

But after copy to server2, i found windows log Application and System. Not log security . Even i used domain admin but sill not log security. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:31 AM

Hi @Alex1,

Sorry but I don't understand:

  • you have a Windows TA in your Windows Search Head to take windows logs from it,
  • you took your Splunk TA_Windows from another server and copied it in your Search Head,
  • from Server 1 you have all logs, but from server 2 you have the other logs not Security logs;

is it correct?

At first, can you confirm that you're speaking of Search Head's logs?

Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?

If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.

You can do it by CLI running this command and redirecting results in a text file to analyze:

splunk btool inputs list --debug > my_file.txt

You have to see if there are two stanzas pointing to the windows Security logs.

At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Alex1
Explorer
‎08-12-2021 01:06 AM

Hi gcusello,

Server 1 and 2 (windows servers) - > indexers -> Search head.

-  At Searsh head, i can search windows event logs (Application, System, Security) of Server 1. But when i search windows event log server 2 from SH. I just find windows event log Application and System.  (Server 1 and 2 have the same config )

So, my problem is how i can get windows event log "Security" of server 2.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 07:28 AM

Hi @Alex1,

does my previous answer solve your question or not?

If it solves your question OK, otherwise, did you checked your configuration with btool?

Ciao.

Giuseppe

P.S.: karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...