I'd like confirmation that I'm reading what I believe to be a Windows event log written by Splunk correctly.
These just started showing up this morning. We're getting a LOT of these and I'm trying to determine why.
Here's the log entry. My attempted translation is below.
03/22/2017 02:35:16 AM
LogName=Security
SourceName=Microsoft-Windows-Security-Auditing
EventCode=4663
EventType=0
Type=Information
ComputerName=fakehost.fakedomain.com
TaskCategory=Removable Storage
OpCode=Info
RecordNumber=1085737169
Keywords=None
Message=Splunk could not get the description for this event. Either the component that raises this event is not installed on your local computer or the installation is corrupt.
FormatMessage error:
Got the following information from this event:
fakehost$
fakedomain
Security
File
D:\Program Files\Splunk\var\lib\splunk\modinputs\WinEventLog\security
%%4417
%%4418
D:\Program Files\Splunk\bin\splunk-winevtlog.exe
Translation:
Windows -> "Access to an object was requested."
Windows -> "This is concerning Windows Server 2008"
Windows -> "On machine fakehost, which is part of domain fakedomain, something tried to write to... something. Specifically, something tried to append data to something."
Splunk -> "I have no idea how to translate the rest of the log. Something's busted."
My guess...
splunk-winevtlog.exe is the thing trying to do the writing. I don't know to where or what it's trying to write.
-- OR --
splunk-winevtlog.exe is the destination of where something is trying to write. I don't know what's doing the writing.
We're seeing a lot of this after this month's Windows update. Restarting the Splunk forwarder appears to have fixed it, We also changed the service start to "delayed".
See: https://answers.splunk.com/answers/200924/formatmessage-error-appears-in-indexed-message-for.html
There should be info in the _raw about
...Object Name: C:\some\file\location\name.ext ...
That's the item that was being touched. I see 4663's on successful touches of regbacks, dlls, exes and some other kinds of files. That may be the folder or file D:\Program Files\Splunk\var\lib\splunk\modinputs\WinEventLog\security.
You'll also see something like this...
... Access Request Information: Accesses: WriteAttributes ...
... Access Request Information: Accesses: WriteData (or AddFile) ....
... for what the person or process was trying to do.
Somewhere before that, there should be user information about who is doing the touching.
...Security ID: NT AUTHORITY\SYSTEM Account Name: HOSTNAME1$ Account Domain: MYDOMAIN$ ...
... Security ID: S-1-5-18 Account Name: HOSTNAME2$ Account Domain: MYDOMAIN$ ...
That's the person or persons you have to track down.
Also...
... Process Name: C:\some\file\location\name.exe ...
That's the job or executable or a name of a service that was doing the touching for the user id. Looks like maybe that was splunk-winevtlog.exe.
In essence, if I'm reading this right, splunk-winevtlog.exe is touching a file - possibly a security file-- and the windows system is generating an info-level security message about it. Which might be ironic, if the security event logging by splunk is generating a security message.