Getting Data In

Sudden excessive WinEventLog:Security events involving splunkd.exe

Path Finder

Splunk Universal Forwarder is v6.4.x
Splunk Server is v6.5.x

In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf , I have:

disabled = 0
index = wmi

I would normally see about 240 WinEventLog://Security "splunkd.exe" events logged per hour (for weeks).
Suddenly, that number jumped to over 4 million WinEventLog://Security "splunkd.exe" events logged per hour, and my indexing limit was exceeded.

Here's what gets logged:

SourceName=Microsoft Windows security auditing.
TaskCategory=Filtering Platform Connection
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: XXX
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe

Network Information:
Direction: Outbound
Source Address: 10.X.X.X
Source Port: XXX
Destination Address: 172.X.X.X
Destination Port: XXX
Protocol: 6

Filter Information:
Filter Run-Time ID: XXX
Layer Name: Connect
Layer Run-Time ID: X

What could have possibly changed in a Windows machine that suddenly makes it log so much WinEventLog:Security "splunkd.exe" events?

I could set disabled=1, but then I'd lose the ability to track who is logging in/out of that machine.
Is there any way to just omit logging these kind of "Audit Success" / "The Windows Filtering Platform has permitted a connection" events?

1 Solution

Path Finder

Found an answer right here -

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

View solution in original post

0 Karma

Path Finder

Did you ever figure out why the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" was making excessive connections to the machine? I have also run into this issue, but would like to know the root cause of excessive connections, and not excessive logs.

0 Karma

Path Finder

The excessive WinEventLog:Security events started the day some updates were pushed to the machine:
Microsoft Security Update for .NET
McAfee product updates (including Firewall update)

Hmm... But it could have been something else that triggered it too.

0 Karma

Path Finder

Found an answer right here -

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...