Getting Data In

Not sending [Windowseventlog://Security] to Search Head

Alex1
Explorer

My Seach Head receice Windoweventlog://Application and system but it's not found [Windowseventlog://Security]. I'm using Splunk_TA_windows. This is my config inputs.conf in local.

[WinEventLog://Application] -> it works
disabled = 0
index = wineventlog
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false


[WinEventLog://Security] -> not work
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
renderXml=false
index = wineventlog

[WinEventLog://System] -> it works
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
renderXml=false
index = wineventlog


###### Forwarded WinEventLogs (WEF) ######
[WinEventLog://ForwardedEvents]
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
## The addon supports only XML format for the collection of WinEventLogs using WEF, hence do not change the below renderXml parameter to false.
renderXml=flase
host= WinEventLogForwardHost
index = wineventlog

This TA is copied from another server working fine. Even i'm using domain admin to run service but still not get windows event log security.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Alex1,

Sorry but I don't understand:

  • you have a Windows TA in your Windows Search Head to take windows logs from it,
  • you took your Splunk TA_Windows from another server and copied it in your Search Head,
  • from Server 1 you have all logs, but from server 2 you have the other logs not Security logs;

is it correct?

At first, can you confirm that you're speaking of Search Head's logs?

Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?

If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.

You can do it by CLI running this command and redirecting results in a text file to analyze:

splunk btool inputs list --debug > my_file.txt

You have to see if there are two stanzas pointing to the windows Security logs.

At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex1,

let me understand:

  • you have a Splunk server configured as a Search Head, in other words that send its searches to one or more Indexers,
  • You are sending Windows logs from another server to the Search Head,
  • you don't see the logs in your searches;

is it correct?

At this point one one question: if you have one or more Indexers, why do you send logs to the Search Head?

Usually all logs are sent to the Indexers that index and share them with the Search Heads, so probably, the problem is that the logs that you're sending to the Search Head aren't in the Indexers so they aren't visible and the solution to your problem is simply to forward logs to the Indexers instead of Search Heads.

You could also solve the problem forwarding all Search Head's logs to the Indexers and this generally is a Splunk best practice; but anyway it isn't a good idea to send logs to the Search Head.

Ciao.

Giuseppe

Alex1
Explorer

Hi gcusello,

Yes, it's correct. Sorry i had a mistake. 

I copied Windows TA from server 1 that is still sending Application,System and Security to indexers to server 2.

But after copy to server2, i found windows log Application and System. Not log security . Even i used domain admin but sill not log security. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex1,

Sorry but I don't understand:

  • you have a Windows TA in your Windows Search Head to take windows logs from it,
  • you took your Splunk TA_Windows from another server and copied it in your Search Head,
  • from Server 1 you have all logs, but from server 2 you have the other logs not Security logs;

is it correct?

At first, can you confirm that you're speaking of Search Head's logs?

Did you checked if the Splunk_TA_Windows, Security logs input is enabled in server 2 (you can check this in inputs.conf)?

If they're enabled, check, using btool command, if there's another inputs.conf pointing to Windows Security logs.

You can do it by CLI running this command and redirecting results in a text file to analyze:

splunk btool inputs list --debug > my_file.txt

You have to see if there are two stanzas pointing to the windows Security logs.

At least, if you have a Windows Search Head, re think to this: I did many Splunk installations and I use Windows only for test on my PC, never in production environmens!

Ciao.

Giuseppe

0 Karma

Alex1
Explorer

Hi gcusello,

Server 1 and 2 (windows servers) - > indexers -> Search head.

-  At Searsh head, i can search windows event logs (Application, System, Security) of Server 1. But when i search windows event log server 2 from SH. I just find windows event log Application and System.  (Server 1 and 2 have the same config )

So, my problem is how i can get windows event log "Security" of server 2.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Alex1,

does my previous answer solve your question or not?

If it solves your question OK, otherwise, did you checked your configuration with btool?

Ciao.

Giuseppe

P.S.: karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...