Getting Data In

What is this sample Windows Event Log trying to do?

pcordel
Explorer

I'd like confirmation that I'm reading what I believe to be a Windows event log written by Splunk correctly.

These just started showing up this morning. We're getting a LOT of these and I'm trying to determine why.

Here's the log entry. My attempted translation is below.

03/22/2017 02:35:16 AM
LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=4663
EventType=0
Type=Information
ComputerName=fakehost.fakedomain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=1085737169
Keywords=None
Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.

FormatMessage error:

Got the following information from this event:

fakehost$
fakedomain
Security
File
D:\Program Files\Splunk\var\lib\splunk\modinputs\WinEventLog\security
%%4417
%%4418

D:\Program Files\Splunk\bin\splunk-winevtlog.exe

Translation:
Windows -> "Access to an object was requested."
Windows -> "This is concerning Windows Server 2008"
Windows -> "On machine fakehost, which is part of domain fakedomain, something tried to write to... something. Specifically, something tried to append data to something."
Splunk -> "I have no idea how to translate the rest of the log. Something's busted."

My guess...
splunk-winevtlog.exe is the thing trying to do the writing. I don't know to where or what it's trying to write.
-- OR --
splunk-winevtlog.exe is the destination of where something is trying to write. I don't know what's doing the writing.

0 Karma

templets
Path Finder

We're seeing a lot of this after this month's Windows update. Restarting the Splunk forwarder appears to have fixed it, We also changed the service start to "delayed".

See: https://answers.splunk.com/answers/200924/formatmessage-error-appears-in-indexed-message-for.html

0 Karma

DalJeanis
Legend

There should be info in the _raw about

...Object Name: C:\some\file\location\name.ext  ...

That's the item that was being touched. I see 4663's on successful touches of regbacks, dlls, exes and some other kinds of files. That may be the folder or file D:\Program Files\Splunk\var\lib\splunk\modinputs\WinEventLog\security.

You'll also see something like this...

... Access Request Information:   Accesses: WriteAttributes  ...
... Access Request Information:   Accesses: WriteData (or AddFile) ....

... for what the person or process was trying to do.

Somewhere before that, there should be user information about who is doing the touching.

...Security ID:  NT AUTHORITY\SYSTEM   Account Name:  HOSTNAME1$   Account Domain:  MYDOMAIN$  ...
... Security ID:  S-1-5-18   Account Name:   HOSTNAME2$    Account Domain:  MYDOMAIN$  ...

That's the person or persons you have to track down.

Also...

... Process Name: C:\some\file\location\name.exe  ...

That's the job or executable or a name of a service that was doing the touching for the user id. Looks like maybe that was splunk-winevtlog.exe.

In essence, if I'm reading this right, splunk-winevtlog.exe is touching a file - possibly a security file-- and the windows system is generating an info-level security message about it. Which might be ironic, if the security event logging by splunk is generating a security message.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...